Re: sender vs author, channel vs object, designated sender vs crypto sig

Meng,


MWW> | Using Mail From to authenticate a role involved with authorship or
MWW> | posting (initial sending) will break those legitimate uses and will
MWW> | remove an important capability from Internet mail.
MWW> I'm not sure what point you're making.  Are you saying that the RFC2821
MWW> MAIL FROM should not be the subject of autentication at all?

I'll assume that your later posts cover this concern.


MWW> 1) I believe that it is important to protect the RFC2821 MAIL FROM from
MWW>    illegitimate spoofing, independent of the RFC2822 header From:.

That phrasing sounds like an assertion that we can have productive
discussion about.

Even worse (...) it sounds like a pretty reasonable goal, since I am
sure folks will agree that unauthorized use of bounces addresses is a
serious problem.


MWW> 2) I believe that the most appropriate way to do so is with a designated
MWW>    sender scheme.

When the working group starts debating particular schemes for achieving
the desired authentication (and maybe authorization) we can pursue of
this scheme, and others, further.


MWW> 3) I believe that it is also important to protect the RFC2822 header From:
MWW>    from illegitimate spoofing, independent of the RFC2821 MAIL FROM.

Hard to argue with that view.  (Although, of course, a community like
this can argue about anything...)



d/
--
 Dave Crocker <dcrocker-at-brandenburg-dot-com>
 Brandenburg InternetWorking <www.brandenburg.com>
 Sunnyvale, CA  USA <tel:+1.408.246.8253>