Re: sender vs author, channel vs object, designated sender vs crypto signatures
2004-03-18 21:27:25
Meng Weng Wong wrote:
On Thu, Mar 18, 2004 at 07:04:04PM -0800, Mark C. Langston wrote:
| >
| > While designated sender schemes can be used for fight header forgery
| > (like CID does), they might be breaking too many things. The question we
| > should be asking is whether we should be verifying the "from" header,
| > not whether proposal X is better.
|
| Indeed.
|
OK, what is your answer?
You can choose to verify the "from" header in all cases like Phil is
pushing, you can can verify the "from" header in *some* cases like you
original proposal, or can choose *not* to verify it. Case #1 breaks too
many things, case #2 might work but is likely not to be followed when
implemented, and case #3 does not stop header forgery at all.
HOWEVER, the main problem with header forging is fooling the user. If
the MUA can indicate to the user that a message is suspicious perhaps by
displaying the "Return Path" header OR comparing the "Return Path" to
the "from" header, and simply putting a question mark somewhere; that
might be something useful.
Even if you are only verifying the MAIL FROM, you did accomplish
something - the "Return Path" header in the mail message itself is now
verified and can be relied on (assuming you can deal with the forged
ones by removing them). Now that you verified it, you can build on that
fact.
Yakov
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, (continued)
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, wayne
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Meng Weng Wong
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Dave Crocker
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Meng Weng Wong
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Dave Crocker
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Meng Weng Wong
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Yakov Shafranovich
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Mark C. Langston
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Meng Weng Wong
- Re: sender vs author, channel vs object, designated sender vs crypto signatures,
Yakov Shafranovich <=
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Mark C. Langston
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Dave Crocker
Re: sender vs author, channel vs object, designated sender vs crypto signatures, Meng Weng Wong
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Meng Weng Wong
- Re: sender vs author, channel vs object, designated sender vs crypto signatures, Mark C. Langston
- preserving desired functionality at the cost of changing implementations, Meng Weng Wong
- when spoofing isn't, Dave Crocker
- Re: when spoofing isn't, Mark C. Langston
- Re: when spoofing isn't, Dave Crocker
- Re: when spoofing isn't, Mark C. Langston
|
|
|