At 12:51 PM 9/24/2004 +0100, David Woodhouse wrote:
So if we accept the extra complexity of signing with the RFC2822
addresses, we need to make sure it's not easily bypassable by adding
'Sender:' or 'Resent-From:' headers. I think we really need to go all
the way and do the thing with multiple signatures. So you can verify
that it really is from the people in the From: header, that it really
was sent by the person in the Sender: header and it really was resent by
the people in the Resent-From: header etc.
If the message content isn't modified, really only the signature associated
with the From: header is needed. But since mailing lists, etc. modify
messages, they need to be able to sign on the basis of the Sender: address.
But in that case the signature associated with From: is likely to have been
broken by the modifications.
We absolutely need to need to make sure the user sees that something other than
From produced the signature that was able to be verified, if that is the case.
My suggestion has been to do some rewrite of the From address to accomplish
that. The devil is in the details though, since different MUAs display
different things.
-Jim