Re: Withdraw of [rt.amsl.com #13277]: Authentication-Results Header Field Appeal
On Feb 25, 2009, at 11:42 PM, Murray S. Kucherawy wrote: Doug, On Wed, 25 Feb 2009 00:10:21 -0800, Doug Otis wrote: The Sender-Header-Auth draft clouds what should be clear and concise concepts. Organizations like Google have already remedied many of the security concerns through inclusion of free form comments. For the sake of being thorough, I looked into this. A lead mail engineer at Gmail (I assume you're referencing Gmail and not Google's internal mail) tells me their inclusion of the relaying IP address as a comment in their Authentication-Results header fields has nothing to do with any sort of remedy in reference to any concerns they have about the specification. It is for use by some other internal processes (which he was not at liberty to discuss further). This overlooks their claim that SMTP client IP address information is useful, even for undisclosed reasons. Even as a comment, it confirms IP addresses found elsewhere using regex as a remedy for defeating spoofed headers holding bogus IP addresses. Since you cited a plurality, do you have any other specific examples? Unfortunately other major DKIM provider Yahoo! does not offer this feature. Is your question seems aimed at ensuring the ESP wagons are fully circled? The draft omits information that is essential for checking whether a message source represents that of a NAT, for example. This is not about whether to accept a message, which might be where the reputation of the domain would matters, this is about determining whether the *authorized* client is known to protect message elements used to reference the authorizations. The Authentication-Results header is not about which messages are to be rejected, this header is about what results are safe to annotate. -Doug ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Withdraw of [rt.amsl.com #13277]: Authentication-Results Header Field Appeal
The appeal of the Authentication-Results header draft is reluctantly being withdrawn. While this draft confuses authorization with authentication, it is being withdrawn in the hope that subsequent Best Current Practices will soon remedy the short-comings noted by the appeal. This withdrawal is being done to better expedite adoption of the header, while at the same time recognizing the severe security deficiencies the current definition of this header imposes. The Sender-Header-Auth draft clouds what should be clear and concise concepts. Organizations like Google have already remedied many of the security concerns through inclusion of free form comments. Unfortunately, comments are not a good vehicle for standardization, but perhaps some form of extension will soon adopt a standardized means to introduce vitally important SMTP client IP addresses. The appeal was not taken lightly, but feedback from those within the email community appears indicate a willingness to adopt this header standard. Douglas Otis and Dave Rand ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
Re: Withdraw of [rt.amsl.com #13277]: Authentication-Results Header Field Appeal
Doug, On Wed, 25 Feb 2009 00:10:21 -0800, Doug Otis wrote: The Sender-Header-Auth draft clouds what should be clear and concise concepts. Organizations like Google have already remedied many of the security concerns through inclusion of free form comments. For the sake of being thorough, I looked into this. A lead mail engineer at Gmail (I assume you're referencing Gmail and not Google's internal mail) tells me their inclusion of the relaying IP address as a comment in their Authentication-Results header fields has nothing to do with any sort of remedy in reference to any concerns they have about the specification. It is for use by some other internal processes (which he was not at liberty to discuss further). Since you cited a plurality, do you have any other specific examples? ___ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
