On Thu, 2004-10-28 at 07:37 -0700, Dave Crocker wrote:
We are not trying to replicate pgp or s/mime. We are trying to serve
an entirely different purpose. We are trying to say who is
responsible for injecting this message into the message transfer
service.
The mailing list processor is responsible for injecting the message
into the transfer service. Therefore the only signature that is valid
for mail coming from it is the mailing list signature. The original
authors are not accountable for the potentially arbitrary behavior of
mailing list processors.
This looks very much like an argument for checking only the RFC2821
reverse-path, not anything from the RFC2822 headers. As such, I'm
inclined to agree. That makes life a _whole_ lot easier.
There is no automatic requirement that the recipient user see
anything about the signature.
Agreed.
--
dwmw2