I'm happier,
Made comments in another thread on why I believe it opens a security hole
wider rather than trying to close it.
I guess I could leave with it, when this downgrade is only done from a
SMTPUTF8 compatible MTA to an ASCII MTA.
I mean a SMTPUTF8 MTA MUST reject such downgrade.
Let's not try to legitimize an attack vector (Friendly from having nothing
to do with the author of the email).
On 9/9/12 2:01 PM, "Barry Leiba" <barryleiba(_at_)computer(_dot_)org> wrote:
I will make the change. I'll also remind the EAI group that
there have been a couple of objections to the
5322upd-from-group spec, which I have to address. I might do
that by scoping it down a bit with some "SHOULD NOT use" sort
of language to address those concerns. Have to review them
and see.
My suggestion is to say something like the following:
...
That could be either in Security Considerations or a separate
section. You could even do something radical and incorporate it
as a section called "Applicability" and use the words "LIMITED
USE" (and, since no one seems to remember, a citation of RFC
2026 Section 3.3).
I have just posted drft-leiba-5322upd-from-group-04:
http://datatracker.ietf.org/doc/draft-leiba-5322upd-from-group/
That changes the definition of Sender as well as From, and also adds a
new "Applicability Statement" section that has an edited version of
John's suggested text. I like the result, and I hope others do as
well. I will post something to the 5322upd-from-group thread, asking
that those who had objected look at the new text and see if they're
happy (or at least somewhat happier) with it.
Barry
_______________________________________________
IMA mailing list
IMA(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ima