At 10:14 am +0000 2004/03/22, Russell King wrote:
>On Mon, Mar 22, 2004 at 10:35:45AM +0100, Giuliano Gavazzi wrote:
>> As I've already said, this envelope sender munging is more broken than SPF.
>
>You've said it, but not really explained why. Sure, you've pointed
>out the case where a registry wants to use it for authentication,
>but it _can't_ be used for that purpose today anyway - it tells you
>nothing about the authenticity or even identity of the true sender.
nothing apart from signing will tell you that. Still it is used as a
first criterium to identify a sender and quite commonly.
>I'm interested in a well thought out argument against encoding
>additional sender information into the envelope sender like VERP
>mechanisms do, and not a hand waving "its broken" statement.
as I said is not really hand-waving. Besides, VERP does only encode
additional information that can be used by the originating domain,
nothing that, given the current status of the protocol, can be used
more than to say: yes, this address has been (or could have been)
used to send email from here.
This is all very good for spam prevention, but wrecks havoc any
method using the literal env.sender and forwarding using <>.
Giuliano
--
H U M P H
|| |||
software
Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/