ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC)

2016-11-07 17:24:08
from [Franck Martin] [Permanent Link] 


----- Original Message -----

From: "Dave Crocker" <dcrocker(_at_)gmail(_dot_)com>
To: "Franck Martin" <franck(_at_)peachymango(_dot_)org>, "Terry Zink" 
<tzink(_at_)exchange(_dot_)microsoft(_dot_)com>
Cc: dmarc(_at_)ietf(_dot_)org, "Ted Lemon" <mellon(_at_)fugue(_dot_)com>, 
"IETF" <ietf(_at_)ietf(_dot_)org>
Sent: Monday, November 7, 2016 2:46:54 PM
Subject: Re: [dmarc-ietf] Identification of an email author (was - Re: IETF 
Mailing Lists and DMARC)



On 11/7/2016 11:41 AM, Franck Martin wrote:

The EAI WG found it was fine to remove the obligation to have an email
address part in the mandatory RFC5322.From header, leaving only the
display part to assert the original author.


We had that relaxed permission for From:, in the original
From/Sender/Reply-to specification of rfc733, with the requirement that
there be a Sender: email address.  It looks like we removed it for rfc822.

And while I recall something of the EAI discussion, I'm not recalling
this permission's being returned.  Nor am I finding it in rfc6854:

     https://tools.ietf.org/html/rfc6854#section-2

So, please point to the formal specification that permits a From: field
to have no email address.



I'm not great at ABNF, so please bear with me. 

My understanding is that RFC proposes the following change:

from =  "From:" mailbox-list CRLF

TO

from = "From:" (mailbox-list / address-list) CRLF


They are defined by:
mailbox-list    =   (mailbox *("," mailbox)) / obs-mbox-list
address-list    =   (address *("," address)) / obs-addr-list

furthermore: 

address         =   mailbox / group
mailbox         =   name-addr / addr-spec
name-addr       =   [display-name] angle-addr
angle-addr      =   [CFWS] "<" addr-spec ">" [CFWS] /
                       obs-angle-addr
group           =   display-name ":" [group-list] ";" [CFWS]
display-name    =   phrase
mailbox-list    =   (mailbox *("," mailbox)) / obs-mbox-list
address-list    =   (address *("," address)) / obs-addr-list
group-list      =   mailbox-list / CFWS / obs-group-list


So if you follow the fact that the new from can contain an address list, and 
that an address can be either a mailbox or a group and that a group can be 
'undisclosed sender:;'

So you could find an email with the following header

From: undisclosed sender:;

and that would be ok as per rfc6854

Note the security consideration in same RFC that "discourages" the use of the 
group syntax, but as a receiver, I would claim, this increases the level of 
secret sauce to apply to evaluate an email...
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC), ned+ietf
Next by Date:  Re: [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC), Dave Crocker
Previous by Thread:  Re: [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC), Brandon Long
Next by Thread:  Re: [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC), Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]