On Tue, 02 Jan 2007 18:11:06 -0000, Douglas Otis
It may prove a mistake mandating the signing of the From header once
internationalization becomes common. The From header mandate supports a
highly dubious anti-spoofing effort based upon visual recognition. A
far more secure alternative applies annotations to digitally recognized
originators. Such an annotation scheme does not require troublesome
From header stipulations and is not susceptible to various visual
exploits, such as the use of look-alikes or cousin domains.
I agree. An unsigned From is a cause for suspicion, but there may
sometimes be valid resons, which the verifier should be allowed to
consider. For example, in EAI the From may get downgraded during transit.
It is not yet clear what would be the best way to get around that problem,
but unnecessarily restrictive "MUST"s are not going to help. "SHOULD"
would have been quite strong enough - no interoperability problem srises.
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
NOTE WELL: This list operates according to