On Oct 14, 2008, at 2:24 PM, Murray S. Kucherawy wrote:
Douglas Otis wrote:
Agreed. However, when a domain attempts to assert control over the
From header field using DKIM and ADSP, they must "pretend" to
authenticate an email-address within the From header field.
I don't think we're talking about any such assertions here. We're
only interested in protecting an Authentication-Results: header
added by a border MTA on inbound mail. Seems like ADSP and even
From: are somewhat irrelevant to this discussion.
The ADSP draft inhibits an assurance regarding _what_ the signing
domain authenticated! The Author Signature definition limits a
signing-domain's associated "on-behalf-of" identifier to being an
email address within the From header field or to being _blank_. As
a result, any intra-domain abuse can not be safely identified. One
would be mistaken to assume the From email-address is always what a
signing domain authenticates. No other assumption would be available
without incurring an impractical second signature that is likely
ignored anyway. Should one care about the damage created by an
incorrect assumption regarding authentication, even when the
assumption is signed by the border MTA? Perhaps this could be call
the Assumed-Authentication-Results header. : )
-Doug