ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: public key BATV isn't useful

2008-05-20 01:59:52
from [Paul Smith] [Permanent Link] 

Dave Crocker wrote:
The BATV introduction is misleading. It doesn't mention anything about the reasoning behind BATV that you state,
#2 and #3, above, are two types of bounce messages that are invalid, because they result from unauthorized creation of the bounce address (MailFrom). The Introduction says:
"existing Internet mail permits unauthorized use of addresses in the MailFrom command, which results in having notices sent to unwitting and unwilling recipients." 

which seems to state exactly that condition, and:
"Bounce Address Tag Validation (BATV) defines a framework for mechanisms that validate the value in this command." 

says that BATV seeks to remedy that problem.

How should the Introduction be different?


Also, this bit really confused me

Section 4.2.2
"The checking of private signatures is only performed within the domain specified in the MailFrom command. The first component that processes the MailFrom's local-part must be able to interpret the meta-syntax. It MAY also perform validation."
This seems to be saying that only mail servers within the domain specified in the MailFrom command should check signatures. So, that seems to mean that ONLY the MTAs *sending* the message originally should check the domain, as those are the MTAs in the domain specified in the MailFrom. This really confused me. That's why I thought private key taggings was pointless - what's the point of one of the sender's MTAs checking the signature as the message was being sent?
Now (I think) I understand what BATV's supposed to do, I think I know what you were trying to say, but from a 'newbie' POV it just didn't seem to make sense.
For a bounce message, the MailFrom command specifies a null return path, so there is NO domain specified in the MailFrom command when the checking of private signatures is performed.
I think what you meant to say was that the checking of private signatures is only performed within the domain specified in the *RcptTo* command of the incoming bounce message - i.e. the domain where the original message should have come from. 


--
Paul Smith

VPOP3 - POP3/SMTP/IMAP4/Webmail Email server for Windows
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: public key BATV isn't useful, Paul Smith
Next by Date:  Re: Lose the time stamp in BATV, Paul Smith
Previous by Thread:  Re: public key BATV isn't useful, Paul Smith
Next by Thread:  Re: public key BATV isn't useful, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]