On Fri, 3 Sep 2004, Jim Lyon wrote:
On Thursday, September 02, 2004 at 7:38 PM, William Leibzon wrote:
Microsoft may have misled others that SenderID and PRA algorithm can
be
used by MUAs to verify email (because of their dominance in MUA market
on
Windows PCs, they need something for MUAs). That is not true.
In spite of William's repeated assertions that it can't be done, we have
built prototypes internally that do exactly that. They work.
I assert that it works because you know exactly which mail server your MUA
is connecting to and for general case MUAs would not work.
Briefly, the algorithm is:
1. Grovel through the Received: headers to find the header
describing the hop where the message entered the current
organization.
Received headers have no standartization - there is not RFC requirement
to add ip address of the client or its EHLO name into the header. How
this information is entered in received header varies from MTA to MTA
(closest semi-standard is sendmail way of adding data into received).
Same system may add multiple received headers (qmail and postfix do in
some cases) and there maybe several systems on receiving ISP end before
email came to MDA, trying to determine which received header to check so
that it is the one entered by MTA that received mail from external source
is very hard and will lead to errors and may even cause to choose header
that was forged by spammer.
2. Extract the PRA from the [Resent-] Sender and From headers
as usual.
In some cases PRA may have changed after received header (for example on
receiving ISP end, mail was received by gateway, forwarded to intermediate
system and then forwarded to MDA; forwarding server may have added its own
resent-from header resulting in MUA system checking its own ISP instead of
external system).
3. Apply the SenderID algorithm. [Actually, our prototypes
used the earlier CallerID algorithm, but the point remains.]
William also implies that Microsoft would intentionally mislead people
to believe that SenderID can be used in MUAs when it cannot.
In the first place, I resent the insinuation.
I apologize if you understood my remarks as meaning that you -intentionally<-
misled anybody (nor did I ever use those words). I meant that because of
Microsoft MUA share you want algorithm that would work om MUAs and expect
SenderID to work there (but not that you knew it would not work there and
eventhough still said that it would).
In the second place, were such misleading to occur, it would hurt
Microsoft more than anyone else, precisely because we provide more of
the world's MUAs than anyone else.
Yes. That is why you should be carefull about trying to apply SenderID
algorithm in MUAs and understand that there would be great number of
errors with such approach that might be blamed on MUA programmers. We
should focus MARID efforts on MTA authorization as WG charter said and
in my view doing authorization several email hops after is bad idea.
And while displaying PRA by itself in MUA would not lead to anything bad
and should probably be done, trying to assert if it was verified or not
should only be done when you have data indicating that MTA in fact done
such authorization.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net