ietf-822
[Top] [All Lists]

Re: Choosing recipient of automatic replies

2002-06-03 12:37:52

From vs. Sender is as valid as it ever was.  My boss is constantly
asking other people (his secretaries and other employees) to send
out messages on his behalf.

From and Sender is only one way to solve that particular problem.
Authenticated sender permissions is another. Letting any fool send mail as
your boss is about the dumbest imaginable method, given the current
climate. It was certainly a reasonable design choice at its inception but
things change, eh.

okay, but what you've specified is not semantically equivalent to
From vs. Sender - nor does it seem to reflect reality as well.  
(at least not in my part of the world - though I expect that 
practice varies quite widely from one culture to another)

authentication is a separate issue. it is as easy to authenticate From 
and/or Sender as it would be to authenticate your Sender and Signatories. 

e.g. 

From: Jack Dongarra <dongarra(_at_)cs(_dot_)utk(_dot_)edu>
From-authorization: {a formatted statement indicating that 
  "<moore(_at_)cs(_dot_)utk(_dot_)edu> is allowed to send messages on my behalf"
  and including certain conditions, like date and/or subject,
  that is signed using dongarra(_at_)cs(_dot_)utk(_dot_)edu's private key}
Sender: Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu>
Content-type: multipart/signed

{message signed with moore(_at_)cs(_dot_)utk(_dot_)edu's signature}

Keith

p.s. however don't expect this to reduce the amount of spam.