On Fri, Sep 24, 2004 at 12:52:07PM -0400, Meng Weng Wong wrote:
C) SUBMITTER if provided
D) if checking is done after the DATA command, the PRA
I say "three identities" because C and D are really the same
thing according to the SUBMITTER spec, yet SUBMITTER can be
treated as a first-class identity in its own right.
Does SUBMITTER have any value without being able to check PRA? Does
it have any real value even if we can check it? Ya, ya, phishing, but
does anyone really think you can protect users from phishing that
easily?
Would it be possible to focus more on crypto solutions to header validation
(ala DomainKeys?), and look to SES+crypto for end-to-end MAIL-FROM validation
instead of SUBMITTER or SRS or other mechanisms that require changes on
intermediate nodes? Based on what Seth has been saying, this could be a really
nice end-to-end setup.
I think solutions that will work in the absence of a global upgrade make more
sense than otherwise. Solutions that will provide some benefits (bounce
protection) even if just the sender implements them make even more sense.
Or, if we're committed to SUBMITTER/PRA, I guess we'll figure out how to
deal with it.
--
"When Government fears the people, it's liberty. When people fear the
Government, it's tyranny." -- Benjamin Franklin