(oops, pressed "send" too early last time)
Dave Crocker wrote:
The more discussion there is about signature requirements involving transit
accountability -- ie, the MASS goal -- the more I think we need to focus on the role of
the actor who "creates" the total current message. That's the RFC2822.Sender
or RFC2822.Resent-sender. (As the footnote notes, when there is no 'sender' field
present, the 'from' fields hold a virtual copy of it.)
Although having to look for two fields is more complicated than 1, I think that
'latest poster into the transfer service' is the simplest concept. They are,
after all, the entity that should be accountable for the current transfer of
the message by the end-to-end handling service.
I believe that the motivation for tying the signature to a particular
header (such as Sender) is to provide some justification for why the
signature is there in the first place, that is to say, what role the
signer was representing. So if I got a message on this list that was
signed by owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org, I could look at the Sender
address and say "Aha! That was signed on behalf of the mailing list".
But I'm wondering how much value it has to be able to tie the signature
to a particular header, especially since an attacker that wanted to just
apply a signature could just as easily modify the Sender header and then
do so. The fact that the signature correlates with the Sender address
adds no additional security.
As someone has suggested, how about if we require a signature header to
carry a "responsible address" which is the address that the signer
identifies as the party willing to accept responsibility for the
message. The responsible address MAY be the same as the From, Sender,
Resent-Sender, or Resent-From addresses (for example), but it need not.
I would then advocate that the responsible address SHOULD be made
visible to the recipient in some way, if possible, such as the "via"
thing mentioned in section 7.6 of the IIM Draft. If the responsible
address is the same as the (2822) From address, no extra visibility is
required (except maybe if the MUA only displays the display-name). And,
although some will disagree with me here, I consider a valid signature
whose Responsible Address matches the From address to be preferred to
one that doesn't, simply because it's an assertion directly from a
signer representing the original author of the message.
-Jim