On Apr 11, 2014, at 2:07 PM, Miles Fidelman <[email protected]> wrote:
> Les Barstow wrote: >> I'll add two cents here on MLM behavior. If MLM software is altering the >> contents of a message, then in authentication terms the original author is >> no longer the author of the message - the MLM is responsible for the >> modified message body (DKIM). In authorization terms, the MLM system is also >> the originating mail server (SPF). So from a strict security perspective, >> the MLM software IMHO *should* be claiming ownership of these messages (in a >> user-visible way, i.e. the From field). Obviously, convenience and security >> aren't always the best of friends, but there are many ways to implement >> convenience that don't ignore security. There are fewer ways (read: none) to >> implement security that accommodate every implementation of convenience. If >> we want to secure our email addresses, we're going to have to work a bit for >> it. > > Well that's arguable. By that logic, anything that alters a piece of mail > becomes it's author - everything along the mail delivery chain alters some > part of the message, if only by adding received- headers. Altering a header (the "Envelope") is not the same as altering the message (body). > It's probably more accurate to say that the MLM is acting as an agent of the > author. (Now if you want to really pick nits, think about sending out a > meeting invitation through Exchange - there's a meeting "owner" - but other > people, with privileges, can update the original invitation - change the > time, add a webex, ....) I think you're conflating the message and the delivery mechanism. In the Exchange case, other people generally only alter meta-data *about* the invitation (time, attendance status, etc.). The invitation itself, "Meet the Engineering team and discuss appropriate uses of the From and Reply-To headers" tends to not get altered by anyone other than the original author. Granted, there are Personal Assistants and other privileged persons often write "in the name of" the Author, but that's another matter entirely. Matt > Come to think of it, I wonder how much Yahoo's DMARC policy is impacting > calendaring software! > > Miles Fidelman > > -- > In theory, there is no difference between theory and practice. > In practice, there is. .... Yogi Berra > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
