Murray, >> I think that the "registration problem" is a red >> herring after all. There's no deterministic way to decide what's a >> legitimate mailing list (or other re-signer), any more than there's any >> way to deterministically decide what's a legitimate originator. Those >> determinations are made heuristically outside DMARC.
> Numerous proposals have appeared over the years to solve the Mediator > problem and its ilk, all of which involve advertising in some way that > two domains are related somehow. The favorite example is "A can sign B's > mail", with the implication being "and you should act as if B signed it". Ah, okay; in that case I will respond to your summary: > The registration problem is not a red herring because it doesn't > exist, but because it is intractable. Thus, any response to the > third-party problem that relies on a solution to that problem > (which includes ATPS, DSAP, and TPA) is probably not viable. I agree. But I think that some of the "re-signing" schemes being proposed at the moment do *not* require this type of registration, so in those cases, the registration problem wouldn't apply. If A is not "signing B's mail", but rather, "signing its own modifications to B's message", then the evaluation of the two signatures doesn't require a published or pre-existing relationship between the two domains. Under at least one of the proposals, it can be determined that "yes, A signed the mods, and if the mods are removed to re-generate the original message, B signed the original message". If we have that, then I think the question becomes: if this is to be a DMARC-like scheme, how do we tie A's signature to some kind of relevant header field, since the "From:" header is already "reserved" for the original signer. Now despite injunctions on this list against referring to the user interface, the fact is that DMARC uses the "holy From: header" to extract the "alignable domain". Unless I'm gravely mistaken, the reason for that *is* indeed that this field is shown to the user (in some form) by every user agent out there, and the user is thought to place a fair deal of confidence in the "truth" of that header. Unless we can state something similar with respect to another header, I suspect that anything we propose will be considered to be watering down DMARC to an unacceptable extent. :-( Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 [email protected] +1 514 848-2424 x2285 _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
