[Top] [All Lists]

Re: Sender's Declaration of Identity

2005-05-15 19:55:58
On Sun, 15 May 2005 18:23:55 PDT, David MacQuigg said:

The proposal is to add an ID command to the SMTP exchange, after EHLO, but 
before MAIL.  My main concern is backward compatibility.  Here are the 
relevant paragraphs:

    MAIL FROM: bob(_at_)sales(_dot_)my-company(_dot_)com
You get the point:

   Unfortunately, there is no agreement on how this should be done.  
   Some believe firmly that it should be done in the EHLO command at the 
   start of each session, others insist that it should be done in the 
   MAIL command with each email.  Still others think the true Identity 
   should be extracted from one or another of the email headers that the 
   recipient actually sees.  Adding to the confusion is the fact that 
   each of these identities may legitimately differ from the Identity 
   that is to be authenticated, and may differ in having extra 
   "subdomain" labels that are not easily separated from the Identity to 
   be checked.

and then promptly decide to ignore it.  The reason that there is disagreement
is because the different choices have different semantics.  In addition, many of
the schemes involve the inability of the sender to overload a field.  So for
instance, if you're trying to send a phish using a MAIL FROM: of,
you're *stuck* with that MAIL FROM.

Your proposal would allow:

MAIL FROM:<moby-phisher(_at_)ebay(_dot_)com>

In addition, being able to pick-n-choose and feed the value from a MAIL FROM
to a scheme that wants to verify EHLO or the PTR of the source just opens up
a lot of attacks.

So how exactly does this improve the situation?

Attachment: pgp937iLMXEnX.pgp
Description: PGP signature