-----Original Message-----
From: Dave Crocker [mailto:dhc(_at_)dcrocker(_dot_)net]
Sent: Friday, 23 July 2004 5:03 AM
To: Terje Petersen
Cc: ietf-mxcomp(_at_)imc(_dot_)org
Subject: Re: I-D ACTION:draft-ietf-marid-submitter-02.txt
Terje,
TP> When a SUBMITTER parameter is provided then receiving MUAs SHOULD
TP> display the SUBMITTER parameter as the sender of the email instead
TP> of the original FROM address in the RFS 2822 headers; otherwise an
TP> attacker can trivially defeat the algorithm by providing a different
TP> SUBMITTER and FROM address.
SUBMITTER is related to rfc2822.Sender, not rfc2822.From.
The concern for display to the user is certainly valid. However
bypassing the From field creates more problems than it solves.
Dave Crocker --
--------------------
TP> My understanding is that in all properly formed email the
TP> SUBMITTER address MUST equal rfc2822.From.
TP> That being the case there should be no problem displaying
TP> SUBMITTER as the from address.
TP> If they are not equal the email is malformed and displaying
TP> SUBMITTER just compensates for the malformed trick that the
TP> sender is trying to conduct.