On Thursday, October 22, 2015 12:41 PM, Brian E Carpenter wrote:
On 23/10/2015 02:57, Russ Housley wrote:
...
It seems to me that DMARC re-writing is a more important feature for this
community. I think we should drop support for the password messages and
move to a newer version. I'd like the tools team to check this out, and then
if the newer version will not introduce other surprises, move to the newer
version.
The primitive rewriting of the From is a bug in itself, because it destroys
important information (who sent the message, even if they are a non-
subscriber).
+1.
Rewriting the "From:" header trains users to only look at the user friendly
name, and to overlook the rewritten address. The potential for phishing is
interesting.
What John Levine describes is hopeful, but it would be nice to have some
assurance from Google that they will actually wait until it's available before
changing their DMARC policy.
Yes. But we may want to look a little bit at privacy issues. The privacy
problems with disclosing the current IP address of the user in the Received
field are flagged in RFC 7624. We need to make sure that the new ARC field does
not amplify this issue.
-- Christian Huitema