On Oct 21 2004, Arnt Gulbrandsen wrote:
Bart Schaefer writes:
I didn't say there's no reason to allow the processing. I said
there's no reason for the end recipient to believe the Processed:
header, whether or not said header appears to be tied to a Received:
line, except on the last hop.
Oh, sorry. I misunderstood then. I more or less agree with what you're
saying, in that case. (Except that IMO, hops internal to the
destination organization can often be trusted.)
I agree with both of you on this. There's no intrinsic reason to
trust anything added before the last hop.
I argue here that there is sometimes a real need to trust more than the
last hop (maybe two or three hops only), but the ultimate decision requires
another mechanism (edict from admin, centrally configured CIDR masks
as posted by Justin Mason, etc).
What the Processed scheme is intended for is to reliably hang the processing
result onto a hop if possible, not authenticate the hop or the
Processed field itself. This way, if the hop is trusted for some
reason, then those associated Processed fields can be trusted, too.
I'm using words such as authentication and trust for this, but really
I don't know of a better terminology that would be more appropriate.
Suggestions welcome.
--
Laird Breyer.