On Tue February 22 2005 14:46, SM wrote:
draft-lilly-from-optional-01.txt makes the From: field optional. According to
4.2. RFC 822 section 4.4.2, the Sender field is optional as well.
I suggest that your draft amends Section 3.6.2 of RFC 2822 and 4.2. RFC 822
section 4.4.2 as follows:
If the from field is omitted then the sender field, containing the field
name "Sender" and a single mailbox specification, MUST appear in the message.
If the From field is omitted, a Sender field MUST be supplied.
The above changes do not affect the anonymity of the author or authors
while allowing domain-based email authentication if the sender implements it.
Responding to your points in reverse order:
The message header field "Sender" is an originator field which is
not necessarily related to the SMTP envelope sender return path (or
similar mechanisms in protocols other than SMTP). Consequently, it
plays no role in authentication.
The draft addresses two separate cases where the From field is
inappropriate: 1) where the author has no Internet mailbox (this
is not a case of anonymity) and 2) where the author requires
anonymity. In the first case, specifying a Sender field is certainly
possible, though not particularly useful (details below). In the
second case, a Sender field may be harmful; it might directly
or indirectly (when the guys with firearms show up demanding to
know who a message's author is) defeat anonymity. In the case of
an individual author who requires some degree of anonymity, the
claim that supplying that author's mailbox in a Sender field does not
affect anonymity doesn't bear much scrutiny.
The Sender field is not particularly useful; it is NEVER used
automatically in responses (RFC 822 sect, 4.4.2, also RFC 3834) --
the Reply-To field exists for support of the first case above where
some proxy is able to receive responses on behalf of an author with
no Internet mailbox, and SMTP envelope (or equivalent) is used for
delivery failure notifications. In the case of multiple authors,
it may help to identify which of multiple authors sent a message;
provided that the sending author has an Internet mailbox and that
anonymity is not required.
So while I would carefully consider such a requirement if there's
a sound case for it, the "authentication" argument does not
constitute such a case, since message originator fields are not
intended for authentication protocol use. Such consideration also
needs to take into account both reasons for making the From field
optional; putting information in a differently-named field does
not take anonymity into account.
Best regards,
Bruce Lilly