Victor Duchovni wrote:
On Mon, Nov 24, 2008 at 11:58:46AM -0800, Michael Thomas wrote:
Yeah, definitely a security considerations if anything. But isn't this
pretty much covered by the overall "don't trust what you don't trust"
part of the security considerations already?
No, because the MUA will in fact trust the header (when it carries the
right "authserv-id". Otherwise it is completely useless to the MUA.
Sorry but I think that asserting a truth like that and that simply is entirely
unfounded. Since there is no MUA precedence for this header and since I don't
even know what it means to say "the MUA will... trust the header", I think that
statements about the details in handling the information need to be moderate
I do not wish to be a troll, so unless my point is not clear, I don't
want to repeat myself. Having made the point about as well as I can,
if it is broadly believed to be out of scope, so be it.
I think your concern has served to prompt more clarifying language. Given the
nature of this mechanism, more clarifying language is almost certainly a Good
IMHO, this issue deserves specific discussion in the Security
Considerations, because, while it is not deep, it is not entirely obvious.
NOTE WELL: This list operates according to