On 15 Apr 2014, at 23:20, Pete Resnick
<presnick(_at_)qti(_dot_)qualcomm(_dot_)com> wrote:
On 4/14/14 9:23 AM, Dave Crocker wrote:
Mediators, like mailing lists, take final delivery and post a new message.
In formal terms, it's legitimate for them to create a different rfc5322.From
field, including one that looks like some sort of 'rewrite' of the one used
by the original author.
It's legitimate for a mailing list to rewrite the author, but it would be
wrong. :-)
More seriously: If the mailing list wishes to express that I am the author of
*this message*, then I belong in the "From:" field. That differs semantically
from forwarding a message authored by me; then the list is saying that the
list is the author, and it is simply quoting me, but that the list is the
entity that should be considered to have written the message. For most
mailing lists, that seems like the wrong semantics to try to convey.
There should be a mechanism for an author to send a message to a mailing
list, granting the mailing list permission to redistribute that message, and
have that permission conveyed to the mailing list recipient such that when
the mailing list recipient receives the message, they can assure themselves
that the originating domain is OK with that redistribution. Sounds like some
protocol which could be written.
(If the originating domain is expressly *not* OK with the redistribution, the
mailing list should bounce the message back to the author saying as much.)
That suffers the same problems as X-O-A-R: you have to know when to trust the
intermediate. In the absence of that knowledge, any message transformation is
invisible to the recipient, and potentially malicious. You would have to
invent a scheme for identifying transformations, so users could verify them
against the original sender's signature.
DMARC has put *ALL* the trust into the From: field. That is very unfortunate,
but it seems to be the DMARC peoples' idea of a foolproof, user-visible
identifier.
Cheers,
Sabahattin