[Top] [All Lists]

Re: [mail-vet-discuss] Straw consensus call on auth-header draft

2008-10-14 13:09:51

On Oct 13, 2008, at 12:58 PM, Murray S. Kucherawy wrote:

Dave CROCKER wrote:
This begs the question: why bother to do the first validation; why not simply wait and let whoever would have validated the first instead validate the first?

If the only authentication method being applied at a site is DKIM or other things that don't care about the path, that works. But that's a big "if", and moreover means all consumers of authentication results data must now learn all local path-agnostic methods being used to evaluate messages.

The desire here is to secure arbitrary authentication results data between the border MTA and the consuming MUA. DKIM is one way that could be achieved, meaning the consumers need to learn one and only one message authentication scheme in order to validate that one piece of protected internal data.

Agreed. However, when a domain attempts to assert control over the From header field using DKIM and ADSP, they must "pretend" to authenticate an email-address within the From header field. ADSP, using a false premise of email-address authentication, has impaired DKIM's on-behalf-of field which is essential for evaluating intra- domain abuse. If the source of a message is not abusive, there should be no reason to filter based upon content classifications. In the case of ADSP, there no basis upon which classifications can be trusted. The one exception would be for a perfect signing domain, otherwise these efforts represent an exercise in futility.


<Prev in Thread] Current Thread [Next in Thread>