[Top] [All Lists]

Re: [mail-vet-discuss] Straw consensus call on auth-header draft

2008-10-23 15:07:25

Douglas Otis wrote:
The ADSP draft inhibits an assurance regarding _what_ the signing domain authenticated! The Author Signature definition limits a signing-domain's associated "on-behalf-of" identifier to being an email address within the From header field or to being _blank_. As a result, any intra-domain abuse can not be safely identified. One would be mistaken to assume the From email-address is always what a signing domain authenticates. No other assumption would be available without incurring an impractical second signature that is likely ignored anyway. Should one care about the damage created by an incorrect assumption regarding authentication, even when the assumption is signed by the border MTA? Perhaps this could be call the Assumed-Authentication-Results header. : )



I'm pretty sure you're talking about the reliability/assertions of ADSP or even DKIM. That's orthogonal to what we're discussing here on mail-vet-discuss. This draft is about moving the evaluation results from an MTA to MUAs in a consistent and reliable manner. That the evaluations themselves could conceivably be flawed or subverted is already discussed in Security Considerations for this draft and is not within the scope of this document.

<Prev in Thread] Current Thread [Next in Thread>