ietf-mxcomp
[Top] [All Lists]

Re: sender vs author, channel vs object, designated sender vs crypto signatures

2004-03-18 21:36:04

On Thu, Mar 18, 2004 at 10:20:43PM -0500, Meng Weng Wong wrote:
On Thu, Mar 18, 2004 at 07:04:04PM -0800, Mark C. Langston wrote:
| > 
| > While designated sender schemes can be used for fight header forgery 
| > (like CID does), they might be breaking too many things. The question we 
| > should be asking is whether we should be verifying the "from" header, 
| > not whether proposal X is better. 
| 
| Indeed.
| 

OK, what is your answer?


My answer to "Should we be verifying the RFC2822 From: header"?

I'm not sure we can using crypto without MUA rewrites, though there are
other approaches.

For example, I think the idea of using the RFC2821 ENVELOPE-FROM as a
means to assgn greater or lesser credibility to the contents of the
RFC2822 From: header has some merit, but that enters into the realm of a
reputation-based system, and as Yakov said, the issue is not "what's a
good way to do it?" but rather, "should be we considering it?"

Right now, my answer would be "yes, we should consider it", if only to
determine the manner and extent of the breakage the various approaches
may introduce.  As long as the distinction between "consideration" and
"recommendation" is kept clear.


-- 
Mark C. Langston                                    Sr. Unix SysAdmin
mark(_at_)bitshift(_dot_)org                                       
mark(_at_)seti(_dot_)org
Systems & Network Admin                                SETI Institute
http://bitshift.org                               http://www.seti.org


<Prev in Thread] Current Thread [Next in Thread>