Re: PRA algorithm and use of non-standard header fields
2004-07-19 21:32:14
On Jul 19, 2004, at 4:05 PM, Roy Badami wrote:
I don't see the PRA algorithm as some heuristic to try and construct
some new kind of identity from the headers; the PRA is a natural
concept that falls out of the headers defined by 822. If you want to
know who (according to the headers) sent you a message, would you do
anything substantially different from what the PRA algorithm
specifies?
Well, when Caller-ID was first presented to me, it was presented as a
heuristic. And later evolutions of the algorithm seemed to get even
more based on heuristics. I was told that the X-Envelope, etc...
things were added as they bettered some score on a test of "typical
mail".
However, I agree with you that the current form attempts to encapsulate
some notion of "who sent you this mail", as claimed by the headers.
Alas, any such definition comes up against two problems: 1) RFC 2822
doesn't talk in those terms, so we must infer, and 2) Current wide
spread usage may or may not conform.
For example, RFC 2822 says "Resent fields are used to identify a
message as having been reintroduced into the transport system by a
user." -- and yet none of the mailing lists I use, which seem to be
doing precisely this, add such headers. Nor do any of my mailers when
I choose "Forward". So, practice and RFC are in conflict. When, in
practice, are these fields added? Almost none of the mail I scanned
had them. On the other hand, wide spread use of a PRA check will
probably cause wider use of the headers, in situations which may or may
not be warranted.
On the other hand, RFC 2822 says "Resent fields are strictly
informational. They MUST NOT be used in the normal processing of
replies or other such automatic actions on messages." So, while it
might represent who re-injected the mail, the user is to treat the mail
as coming from the Sender:/From: addresses. Hence, perhaps that is the
identity that should be checked. I have seen it requested that MUAs
should change to show the PRA address to users as the sender of the
e-mail, but that would seem to be in direct opposition to RFC 2822's
intent of these headers. Though I'm sure this is open to
interpretation.
I point this out not because I have a strong feeling one way or the
other, but because I think it should be clear that we are going to have
to interpret 2822 and make some choices, and this will result in
changes in practice. Hence, I think it is reasonable to investigate,
via both technical arguments and statistics, how well these ideas work.
If we're going to use a header identity rather than the envelope
identity, then the PRA is the only obvious identity to use; I've
believed that since before Caller ID was proposed, and I have yet to
see anyone make a convincing argument for any other header identity.
See above for perhaps why just Sender:/From: could be argued for.
An IP-based authentication scheme obviously needs to look at who
actually sent the message, not on whose behalf it was sent (that
implies using Sender in preference to From).
Well, to the end user this may not be so clear. Because of the
fractured nature of the mail identities (who gets bounces, who
injected, who will get replies, who the user will see as the sender,
etc...), there are several options for what you might want to check.
The IP address isn't necessarily tied only to the concept of who
injected it. This is because the IP that injected the mail is in
control of (can forge) any of those other identities. So an IP-base
authentication scheme is essentially asking a domain "Is this IP
authorized to inject mail with your domain name in the following
identity?". I can see how a reasonable argument could be made for any
of those identities. As an end user I might even want them all
checked, and flagged when I try to base actions upon them.
If we're going to spend time on the PRA, I think we should be
analysing it semantically, not statistically.
If the semantics of mail identity were clear cut, and common practice
generally compliant, I'd agree. Alas, neither of these are true. I
think both semantics and statistics (testing with real world data) will
have to come into play.
(This complaint is in no way directed at Mark or any other specific
contributors to this thread, but to the WG as a whole.)
No offense taken, and hopefully none given.
I also don't want others to take this as a position against PRA. PRA
is a fine identity to check. As we come closer to some consensus on
PRA, and as we fine tune it, I want express how I view this check as a
guide to how we might refine it.
- Mark
Mark Lentczner
http://www.ozonehouse.com/mark/
markl(_at_)glyphic(_dot_)com
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: PRA algorithm and use of non-standard header fields, (continued)
- Re: PRA algorithm and use of non-standard header fields, Andrew Newton
- PRA Algorithm Stats, Mark Lentczner
- Re: PRA algorithm and use of non-standard header fields, Mark Lentczner
- Re: PRA algorithm and use of non-standard header fields, Tony Finch
- Re: PRA algorithm and use of non-standard header fields, Roy Badami
- Re: PRA algorithm and use of non-standard header fields, Roy Badami
- Re: PRA algorithm and use of non-standard header fields,
Mark Lentczner <=
- Re: PRA algorithm and use of non-standard header fields, Tony Finch
- Re: PRA algorithm and use of non-standard header fields, Roy Badami
- Re: PRA algorithm and use of non-standard header fields, Andrew Newton
- Re: PRA algorithm and use of non-standard header fields, wayne
- Re: PRA algorithm and use of non-standard header fields, Margaret Olson
- Re: PRA algorithm and use of non-standard header fields, Greg Connor
- Re: PRA algorithm and use of non-standard header fields, Michel Bouissou
- Re: PRA algorithm and use of non-standard header fields, Douglas Otis
- Re: PRA algorithm and use of non-standard header fields, Douglas Otis
- Re: PRA algorithm and use of non-standard header fields, Andrew Newton
|
|
|