ietf-mailsig
[Top] [All Lists]

Re: Web pages for MASS effort

2004-12-06 11:01:32

David Woodhouse writes:
Forgive me for snipping the actual discussion in which you demonstrate
some of the complexities of trying to use RFC2822 identities for this
task.

If we agree that we're doing this purely for transport-level
authorisation, then using RFC2822 identities buy us nothing over what
we'd get by checking only the RFC2821 sender. Apart from the gratuitous
extra complexity and the increase likelihood that people will implement
it badly, that is :)

First, MAIL FROM: does have the ambiguity of what you
do for <> in a bounce message. Surely you'd like to
be able to auth/authz bounces? 

But that said, Jim has been toying with the idea that the
_signer_ just includes in the signature the address(es?) 
that it wants to take responsibility for. If I understand
him correctly, it is not necessarily correlated with any
particular 2822 header tag (eg, from, sender...). Again if I
understand this correctly, it would be up to the receiver to
determine which address that it cares about and find a
corresponding signature that contains that asserted address.
Thus, it seems plausible that a MASS signer could have it
either way? I personally have been pretty reluctant to pick
one kind of 2822|2821 address as being The address that MASS
gives auth/authz; it seems prudent to me to be flexible so
that if the problem mutates, so can we.

        Mike


<Prev in Thread] Current Thread [Next in Thread>