On Thu, Mar 18, 2004 at 10:20:43PM -0500, Meng Weng Wong wrote:
On Thu, Mar 18, 2004 at 07:04:04PM -0800, Mark C. Langston wrote:
| >
| > While designated sender schemes can be used for fight header forgery
| > (like CID does), they might be breaking too many things. The question we
| > should be asking is whether we should be verifying the "from" header,
| > not whether proposal X is better.
|
| Indeed.
|
OK, what is your answer?
My answer to "Should we be verifying the RFC2822 From: header"?
I'm not sure we can using crypto without MUA rewrites, though there are
other approaches.
For example, I think the idea of using the RFC2821 ENVELOPE-FROM as a
means to assgn greater or lesser credibility to the contents of the
RFC2822 From: header has some merit, but that enters into the realm of a
reputation-based system, and as Yakov said, the issue is not "what's a
good way to do it?" but rather, "should be we considering it?"
Right now, my answer would be "yes, we should consider it", if only to
determine the manner and extent of the breakage the various approaches
may introduce. As long as the distinction between "consideration" and
"recommendation" is kept clear.
--
Mark C. Langston Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org
mark(_at_)seti(_dot_)org
Systems & Network Admin SETI Institute
http://bitshift.org http://www.seti.org