These have to be changed to MUST. Supposing an MUA begins to make
decisions based on these headers (as my MUA already does) then making
removal of these headers an optional thing is a huge security problem.
--
Arvel
Tony Hansen wrote:
Right now, it says:
For security reasons, an MTA SHOULD remove any discovered instance of
this header for which the "hostname" is its own, i.e. headers which
claim to be from the MTA but were added before the mail arrived at
the MTA for processing. A border MTA MAY also delete any discovered
instance of this header which claims to have been added within its
trust boundary. For example, a border MTA at mx.example.com SHOULD
delete any instance of this header claiming to come from mx.exam-
ple.com and MAY delete any instance of this header claiming to come
from any host in example.com prior to adding its own headers. This
applies in both directions so that hosts outside the domain cannot
claim results MUAs inside the domain might trust.
I'm really surprised that these are SHOULDs and MAYs, instead of MUSTs.
If one of those got through, there'd be serious difficulties.
Is the reason a problem with mandating something for all MTAs? If so,
how about using the phrase "an Authentication-Results aware MTA" instead
of "an MTA"? Or "an MTA representing a given hostname"?
Discussion?
Tony Hansen
tony(_at_)att(_dot_)com
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html