[Top] [All Lists]

Re: [mail-vet-discuss] draft-kucherawy-sender-auth-header and last call draft-hoffman-dac-vbr-04

2008-11-10 14:22:35

On Nov 10, 2008, at 8:50 AM, J.D. Falk wrote:

On 07/11/2008 16:59, "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org> wrote:

When users become suspicious of a message, they are likely to  
examine as much as they can, which of course includes the headers.

You've never met a real user, have you?

Speaking like a true boomer.  Is this your opening into a career as a  
legal witness.  :^ )

I hope you are not suggesting it is okay to add deceptive headers to  
email because users, when in doubt, never examine them?

Makes one wonder why practically _all_ email applications provide a  
means to display either 'select' or 'all' headers.  Imagine having  
Authentication-Results headers appear below the Cc: header as a  
default setting. : ^(

While it is normal to delete emails that leak past filters and  
reputation checks, recognized email addresses are still more likely to  
receive greater attention.  When Authentication-Results headers appear  
to confirm that a link or attachment originated from a trusted party,  
who should be liable when this proves malicious and not having  
originated from the party that appears to have been "authenticated"?

If Authentication-results headers were to improve security, and as the  
draft suggests, reputations should be checked as well, then why aren't  
identifiers that should be checked not included in the header?

If no one is looking, who would be confused by including relevant and  
essential information?  A cynic might expect the underlying reason is  
to direct complaints to the hapless domains, rather than responsible  
email-providers.  After all, authorization is once removed from any  
bad act.  One may have let someone drive their car, but why only  
include the identification vehicle owner in an accident report?  The  
IP address more closely represents who was in control of introducing  
the message, and represents the most important identifier that should  
always be checked.   Can you explain why the IP address is missing in  
the case of path registration methods?


NOTE WELL: This list operates according to 

<Prev in Thread] Current Thread [Next in Thread>