On 17 April 2014 11:50, Yoav Nir <ynir(_dot_)ietf(_at_)gmail(_dot_)com> wrote:
Then perhaps this is what needs to change. John R Levine did not send you
a message. He sent a message to the list. It is the list software that sent
you a message. So perhaps the From field should have been “From: IETF
Mailing list on behalf of John R Levine <ietf(_at_)ietf(_dot_)org>”. The
Reply-To
could be set to either John’s real address or the mailing list address,
depending on what we think users mean when they click “Reply” - reply to
John or reply to the list.
What you're changing there, as Martin Rex hints, is not the semantics of
mailing lists, but the semantics of RFC 822 and successors. I could go
along with this if RFC 5322 were demonstrably broken; but in practise, it's
not.
John R Levine, in this instance, did indeed not send me the message - which
is why the Sender header field doesn't have his name or email address
present.
He did, however, write the message, which is why the From header field does.
If you want explicit handling, what we'd need to do is individually (and
visibly) authenticate each transaction - this has knock-on effects in how
we handle blind carbon-copies (in particular, we'd need to send them as a
separate transaction). This has some nasty implications for unsuspecting
MUAs; but some MUAs do this anyway for other related reasons. Also, I
suspect this model would have serious implications for DMARC - that is, I
don't think it fits the DMARC model closely enough to satisfy even
"minimal" changes to the deployed base.
But what this would do, loosely, is have a verifiable chain of
Levine->list; list->me. I would then look at the policies for Levine, and
for the list, and somehow combine them to a decision.
Dave.