On Fri, 14 Jan 2005, Douglas Otis wrote:
On Fri, 2005-01-14 at 14:20 -0500, James Galvin wrote:
--On Friday, January 14, 2005 5:17 PM +0000 David Woodhouse
<dwmw2(_at_)infradead(_dot_)org> wrote:
OK, let us assume that we've ditched the idea of having a signature on
the From: header which can survive mailing lists, and we're only going
to attempt to authenticate the 'most recent sender'.
I'm suggesting that each hop tell the next hop "the most recent sender",
and that we carry that information forward.
That is the basic concept behind the network level protections. The use
of a signature on the message can not protect the network, and so a
rather basic authentication scheme of name to address provides this
function with greater benefits.
An authentication result header could be notes added to Received.
This should be interpeted as:
Authentication-Results header MUST be trace header and MUST be treated
same way as Received.
In fact, if a hop changes the value of the sender, perhaps as a result of
list expansion, it just has to be honest about having done it. This
change could be indicated as part of what it signs and passes on.
This should be interpeted as:
Intermediate MTA agents should indicate what envelope and header data
they have changed and provide this information as trace data. If an MTA
also signs the message with a signature, the signature must be above and
include referenced data.
For proposal on how to record changed message data by intermediate MTA, see:
http://www.elan.net/~william/emailsecurity/draft-leibzon-emailredirection-traceheaders-00.txt
We could take this a step further and suggest that when a message is
first submitted, if the first hop finds the 2822 From does not match the
2821 From, then it too indicates this change.
Now you are suggesting a path registration scheme. It could be done
using names rather than addresses, but still that offers less benefit
for the level for conformance required.
Please do not turn MASS into path registration. The way I see, some of the
proposals like DK are already pretty damn close to path registration (since
it can accomodate only very simple types of email forwarding/redirection).
I don't think we should concern ourselves with why the change occurred.
What's important is stating that it was knowingly changed. Let the
recipient sort it out later. This would be the value that a reputation
system could add, later.
I agree an authentication result trace would be helpful. It could note
what names were authenticated. Wrapping this with a signature would also
be interesting. Would you see the signature being applied to just the
Received header?
My opinion is that email signature should include/sign all previously
added trace data (since that data is not supposed to be changed by
subsequent systems, it is safe to do so). META-Signature deals with it
quite well and I specifically say that trace data can and should be
directly referenced and included as part of signature data where as
headers such as Sender or Subject that can get changed during SMTP
Transmission are not included and are instead copied over to Saved-
header (and these Saved- headers are considered trace data then).
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net