On Wed, 2004-12-15 at 16:14, David Woodhouse wrote:
On Wed, 2004-12-15 at 11:11 -0800, Douglas Otis wrote:
Perhaps a better way of viewing this would be to
consider the only valid field for Submitter signatures is the Sender
header, where this may be found, by virtue of compression, within the
From header when it is not present within the message.
Is there a problem using this approach?
Yes. The Resent-From: may be more recent than the Sender:
Whichever one matches the RFC2821 MAILFROM, that's the one you probably
want :)
The Sender field was intended to specify the mailbox of the agent
responsible for the actual transmission of the message. These resent
headers could be seen as optional and happen to be unlimited in number.
Resent-Sender/Resent-From is created when the entity identified in this
field resends a message with the intent of the message appearing to be
unchanged. With signatures, this is no longer possible. If this
message is to be resigned, should the Resent headers not be used and the
From/Sender header made to reflect the current entity introducing the
mail? Is not the goal of signatures to make it more obvious who is
sending the message?
Resent fields prepends to a message reintroduced, where this set of
fields are added each time this is done. No other fields in the message
are changed when resent fields are added. There can be a choice made
when signing is involved. Rather than using the Resent-headers when
signing the message, assert the Sender/From according to the current
sender. This alters the original message to appear to be from the
entity now resending it. Does this somewhat deceptive resent practice
make sense with respect to signing? Add a header that captures the lost
Sender? If there is a signing unaware reintroduction of a signed
message, would having the resent feature not be used when signing help
identify this event? If there is a desire to retain the use of Resent
headers, the signature should specifically bind to the appropriate
From/Sender or Resent-From/Resent-Sender header.
-Doug