[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: (DEPLOY) In Support of Sender ID

To: "IETF MARID WG" <ietf-mxcomp@xxxxxxx>
Subject: RE: (DEPLOY) In Support of Sender ID
From: "Michael R. Brumm" <me@xxxxxxxxxxxxxxxx>
Date: Thu, 2 Sep 2004 15:27:47 -0600
Cc: "Ryan Malayter" <rmalayter@xxxxxxx>
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx

Kevin Peuhkurinen wrote:
>To my mind, there are ZERO hinderences to Microsoft
>adopting SPF, but there are plenty of hinderences
>for most everyone else to adopt the encumbered
>Sender-ID.

Ryan Malayter:
>SPFv1 does not address email header forging at all. So SPFv1 does very
>little to prevent forging of the "from" addresses seen by the user in
>99% of MUAs. SPFv1 therefore does very little to prevent phishing scams.
>This is why Microsoft came up with CallerID for email, and why Meng and
>MS decided to merge the best parts of SPF and Caller ID into SenderID
>approaches.

SPF protects envelope forging correctly. SenderID doesn't.

While SPF doesn't prevent forging of 2822 addresses seen by 99% of MUAs, the
same could be said of SenderID. I don't know of any MUAs which display the
PRA as described by SenderID.

So, either way, it means upgrading all the MUAs. IMHO, if we are going to
upgrade the MUAs to prevent phishing, we should look towards a stronger
crypto/signing solution, not the flimsy solution provided by SenderID.

Michael R. Brumm

Follow-Ups:
- RE: (DEPLOY) In Support of Sender ID
  - From: Rand Wacker

References:
- RE: (DEPLOY) In Support of Sender ID
  - From: Ryan Malayter

Prev by Date: Re: (DEPLOY) In Support of Sender ID
Next by Date: Re: In support of SenderID
Previous by thread: RE: (DEPLOY) In Support of Sender ID
Next by thread: RE: (DEPLOY) In Support of Sender ID
Index(es):
- Date
- Thread