> say that my goal for this service is to provide a mechanism for the
> domain of a message author to provide an assertion that they authorized
> the sending of a specific message.
...
it occurs to me that the precise meaning of your statement might actually
go farther than we want, since it implies per-message assessment by the
domain owner.
I should explain where my concern about "per-message assessment" came from:
The reference to "a specific message" means that each message is authorized.
The problem word is "specific". For per-message authorization to mean
anything, it has to imply per-message assessment.
So I suggest that the language should be modified a bit:
A validated MASS signature means that the domain listed in the
RFC2822.Sender(*)
header has authorized the sender to post messages under its domain.
The domain
is accountable for mail that it validates.
(*)The RFC2822.From header serves the role of the Sender specification,
when the
RFC2922.Sender header is not present.
On 23 Nov 2004 06:13:16 -0000, John Levine wrote:
I find it helpful to remind people that the result of any
authentication scheme is only that you know who to blame for the
message, not whether a message is spam,
Exactly. And that's what I mean by the accountable, above.
On Mon, 22 Nov 2004 17:13:21 -0800 (PST),
ned(_dot_)freed(_at_)mrochek(_dot_)com wrote:
> The authentication process is intended to produce input to the
> receive-side filtering process. This may take place at any authorized
agent
> working on behalf of the recipient. However it need not include the MUA.
Bingo. If allowing this sort of thing is all we accomplish, we will actually
have accomplished quite a bit.
yup.
Since the communication of the
authentication result may be secured in a variety of ways, including simply
passing the information across an internal link, it was deemed to be
insufficiently secure.
There has been quite a bit of focus on displaying the validation result to the
recipient user. My intent in stating that the filtering engine is the target
is that we view end-user display as an entirely secondary issue. Yes, it is
nice to do, but no, it is not any more essential that showing any of the other
filtering engine data results.
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
www.brandenburg.com