On Wed, 28 Nov 2007 18:46:27 -0000, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org>
wrote:
On Nov 28, 2007, at 5:35 AM, Charles Lindsey wrote:
Essentially, the signature MUST include the From header (others are at
the signer's discretion). So, at a minimum, the signer is asserting
that this message came into bis possession via a route that indicacted
that its origin was within the domain within the From (mailing list
signatures excepted, of course). If the signer is not prepared to vouch
for that, then he has no business signing it.
Many providers do a good job, and only ensure behaviour of those granted
access. These providers might not require From email-address vetting
equivalent to that of S/MIME certificates before granting access. Such
a provider may wish to ensure recipients that their outbound SMTP
clients sign _all_ outbound messages. If this assurance were possible,
it could avoid complaints related to any spoofing which does not include
their signature. This is different from saying that all email-addresses
within the From header are assured to belong to the purported author, as
some might wish to assume. SSP does _not_ allow this distinction. SSP
policy is From domain centric, rather than from the perspective of the
SMTP client.
If there are multiple addresses in the From header, then there is supposed
to be a Sender. In that case, the signer (who SHOULD then include the
Sender in the signature) is asserting that the messages arrived into his
possession from the Sender rather than from the From. But in the absence
of a Sender header, then the signer is vouchong for the From. What steps
the signer takes to satisfy himself that either the Sender or the From is
one of its legitimate clients is another matter, but such steps must not
be entirely absent.
Note that a mailng list expander is supposed to insert a Sender.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html