Re: [mail-vet-discuss] Straw consensus call on auth-header draft
2008-10-23 15:07:25
Douglas Otis wrote:
The ADSP draft inhibits an assurance regarding _what_ the signing
domain authenticated! The Author Signature definition limits a
signing-domain's associated "on-behalf-of" identifier to being an
email address within the From header field or to being _blank_. As
a result, any intra-domain abuse can not be safely identified. One
would be mistaken to assume the From email-address is always what a
signing domain authenticates. No other assumption would be available
without incurring an impractical second signature that is likely
ignored anyway. Should one care about the damage created by an
incorrect assumption regarding authentication, even when the
assumption is signed by the border MTA? Perhaps this could be call
the Assumed-Authentication-Results header. : )
-Doug
Doug,
I'm pretty sure you're talking about the reliability/assertions of ADSP
or even DKIM. That's orthogonal to what we're discussing here on
mail-vet-discuss. This draft is about moving the evaluation results
from an MTA to MUAs in a consistent and reliable manner. That the
evaluations themselves could conceivably be flawed or subverted is
already discussed in Security Considerations for this draft and is not
within the scope of this document.
|
|