ietf-mailsig
[Top] [All Lists]

Re: Sender signatures are useful for...?

2004-12-09 20:35:11

In 
<1102627153(_dot_)2880(_dot_)170(_dot_)camel(_at_)localhost(_dot_)localdomain> 
Douglas Otis <dotis(_at_)mail-abuse(_dot_)org> writes:

On Thu, 2004-12-09 at 11:50, wayne wrote:
In <16824(_dot_)40492(_dot_)723484(_dot_)512812(_at_)mtcc(_dot_)com> Michael 
Thomas <mike(_at_)mtcc(_dot_)com> writes:

So it seems that a lot of people are taking it as axiomatic
that a Sender: signature provides some utility.

Personally, I see very little utility in protecting the Sender:
header, and far far less in protecting the Resent-* headers.  I see a
lot of utility in protecting the From: header, the envelope from
(2821.MAILFROM), and the HELO domain.

How does this get deployed?  The From is a function of the Originator
and can be a domain independent of the Submitter domain.

I'm not curtain what you are asking.  I may have not been clear in
what I was stating.  I don't think a *single* system has to protect
the 2822.From:, the 2821.MAILFROM and the 2821.HELO, those are just
the identities that I see as being most useful to protect with various
systems.

Most of the systems talked about on this MASS list deal with the 2822
identities, but the signatures in SRS and SES also can protect the
2821.MAILFROM (via callbacks).  I don't know of any signature system
that protects the 2821.HELO.

I don't see much utility in systems such SenderID, which really just
protect the Resent-* headers.  The problem I see with trying to sign
the Sender: and Resent-* headers is that they are not always displayed
by the MUA.  Even when they are displayed, I suspect phishers can make
effective use of implying that the email is really from the phished
company while signing the other headers.


-wayne



<Prev in Thread] Current Thread [Next in Thread>