-----Original Message-----
From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of
Internet-Drafts(_at_)ietf(_dot_)org
Sent: Wednesday, 21 July 2004 6:16 AM
To: i-d-announce(_at_)ietf(_dot_)org
Cc: ietf-mxcomp(_at_)imc(_dot_)org
Subject: I-D ACTION:draft-ietf-marid-submitter-02.txt
~~~~~~~
The section of the proposed SUBMITTER standard that I would change is in
part 4.2.
Currently the last paragraph of that section reads:-
Verifying MTAs are strongly urged to validate the SUBMITTER parameter
against the RFC 2822 headers; otherwise, an attacker can trivially
defeat the algorithm.
I would change this text to say:-
When a SUBMITTER parameter is provided then receiving MUAs SHOULD
display
the SUBMITTER parameter as the sender of the email instead of the
original FROM address in the RFS 2822 headers; otherwise an attacker
can
trivially defeat the algorithm by providing a different SUBMITTER and
FROM address.
This does not prevent people from developing proprietary email gateways
that
do this level of header checking also. Rejecting email on the basis of
malformed content or headers is an existing option for administrators
and
nothing in the modification I have suggested takes away this local
policy
option. I just don't want to see MTAs reading the DATA section as a
standardised practice.