Rand Wacker writes:
On Sun, 19 Sep 2004, David Woodhouse wrote:
On Sat, 2004-09-18 at 23:58 -0500, Seth Goodman wrote:
Lists do it now by the submitting address (broken ones use the
return-path), so they can switch to validating signatures instead.
I disagree. That reduces it to a hop-by-hop scheme again. In order to
determine the probability that this message really did come from me,
you'd have to ponder how much you trust the list server to have actually
checked.
When handling mail list mail, I would *much* rather be checking for
whitelisting/reputation information about the address of the *list* than
the address of individuals posting to it. Specifically, I don't want to
take the risk of having different posts to the same thread being treated
differently based on who they are from (almost as risky as today's
content-filtering approaches).
It strikes me that trying to decide whether Sender, From,
etc is "best" is not really a worthwhile prediction to make.
The fact is, both From and Sender's identities are
interesting pieces of information, and may tell you
different things. From that standpoint, it seems that more
information rather than "best" information is a better hedge
for the future.
Its not that Seth's suggestion "reduces" the crypto solution to a
hop-by-hop scheme, but that the mailing list really *should* be taking
responsibility for the message.
To the degree that it can, of course. It can ultimately boot
a user from the list, but counting on that kind of
enforcement is going to be a longer term proposition. I
suspect that -- as now with receiver based content filtering
-- a "preponderance of evidence" is still going to rule the
day. Having both From and Sender authorized give you two
reputations to develop that judgement. That seems like a
nice feature, not a bug, and by allowing both we get to
defer which is *really* most interesting to actual real live
deployments.
Mike