On Fri, 2005-01-14 at 14:20 -0500, James Galvin wrote:
--On Friday, January 14, 2005 5:17 PM +0000 David Woodhouse
OK, let us assume that we've ditched the idea of having a signature on
the From: header which can survive mailing lists, and we're only going
to attempt to authenticate the 'most recent sender'.
I'm suggesting that each hop tell the next hop "the most recent sender",
and that we carry that information forward.
That is the basic concept behind the network level protections. The use
of a signature on the message can not protect the network, and so a
rather basic authentication scheme of name to address provides this
function with greater benefits.
An authentication result header could be notes added to Received.
In fact, if a hop changes the value of the sender, perhaps as a result of
list expansion, it just has to be honest about having done it. This
change could be indicated as part of what it signs and passes on.
We could take this a step further and suggest that when a message is
first submitted, if the first hop finds the 2822 From does not match the
2821 From, then it too indicates this change.
Now you are suggesting a path registration scheme. It could be done
using names rather than addresses, but still that offers less benefit
for the level for conformance required.
I don't think we should concern ourselves with why the change occurred.
What's important is stating that it was knowingly changed. Let the
recipient sort it out later. This would be the value that a reputation
system could add, later.
I agree an authentication result trace would be helpful. It could note
what names were authenticated. Wrapping this with a signature would also
be interesting. Would you see the signature being applied to just the