MAIL FROM rewriting?

Hello all.  First off, let me say that I'm quite new to this.  Please bear 
with me, I appreciate your patience in advance!  I'm a little confused about 
a particular aspect of SID, namely how 3rd party mailers are supposed to 
handle messages.  Let's take the example of a remote worker who uses their 
private ISPs SMTP server to send e-mail messages in the name of their work 
e-mail account, which really resides on their company's corporate e-mail 
server.  A similar scenario is mentioned in Dan's recent post here: 
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200506/0572.html
According to the Sender ID draft spec section 7.4 
(http://www.microsoft.com/mscorp/safety/technologies/senderid/resources.mspx) 
, "In order to pass the MAIL FROM variant of this test, a program that sends 
mail on behalf of another user MUST use a MAIL FROM address that is under 
its control."  So if the private ISP performs rewriting to alter the MAIL 
FROM (or RETURN PATH) field to represent an address under it's control, 
isn't that just defeating the entire purpose of SID in the first place?  It 
shifts the focus of authentication from the original sender to the upstream 
ISP.  As long as the ISP has a correct SPF record the message will pass a 
MAIL FROM test at the receiving end, regardless of the true legitimacy of 
the original sender.
I could pretend to be George Bush, configure my mail client From: and Reply 
To: addresses as george(_at_)whitehouse(_dot_)gov, and send using my local ISPs SMTP.  
The MAIL FROM gets altered to "george(_at_)legitmateisp(_dot_)com", and when received 
by the end recipient's mail server, it passes the test because the SPF for 
legitimateisp.com authorizes the correct 1st hop sending server, and a PRA 
test should check MAIL FROM before FROM.  When the message shows up in the 
recpient's inbox, all they're going to see is the FROM field of 
george(_at_)whitehouse(_dot_)gov(_dot_)  Only upon closer inspection of the message headers 
would they see the altered MAIL FROM, which probably wouldn't tell them much 
anyway depending on the implementation.
Instead of (or in addition to) rewriting the MAIL FROM, another option is to 
add a new SENDER or RESENT FROM header to the message.  But what good does 
that do if the PRA test is based on those fields?  It's the same problem.  I 
guess in my head, to be legitimate SID should essentially make the practice 
of using an unauthorized 3rd party SMTP server impossible.  I mean, that is 
the point, right?  To ensure that sending servers are specifically 
authorized to send mail for the domains that messages appear to come from?  
But instead it appears to provide a workaround that negates SID alltogether.
I apologize if I've got this all wrong, but it's my best interpertation so 
far.  Could someone either set me straight, or agree with me?
Thanks!
drj