On 5/3/2010 6:49 PM, John Levine wrote:
F2F was created in a kinder, gentler time, when address spoofing
wasn't nearly as much of a problem as it is now. The fact that F2F
hasn't evolved to avoid spoofing users' addresses is a problem that
is only made more tangible by email authentication.
I have to agree with Mike (alert the media!) that this seems to be a
solution looking for a problem. There are F2F systems all over the
net, and the amount of spam or hostile spoofage we get from them is
trivial.
But that's not really the issue. The issue is whether and how using F2F might
break end-to-end trust models that are being postulated when DKIM is used.
It's not whether there is likely abuse but whether the likely trust will become
unenforceable, when it should be enforceable.
It might be worth noting that a well-run F2F system can put its own
signature on the mail, regardless of which of the many possible
approaches it uses to set up the To:, From:, Reply-To:, and other
visible headers.
And indeed, this might be the (or, at least, an) answer to the concern (except
of course for ADSP assertions made too broadly because it can't cover this
scenario.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html