From: dmarc [mailto:[email protected]] On Behalf Of Murray S. Kucherawy Sent: Wednesday, May 11, 2016 6:29 PM To: Alessandro Vesely Cc: [email protected]; Kurt Andersen (b); ARC Discussion Subject: Re: [dmarc-ietf] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)
On Wed, May 11, 2016 at 9:54 AM, Alessandro Vesely <[email protected]<mailto:[email protected]>> wrote: [... assume ARC-Seal: i=0 still verifies ...] >>> ARC-0 is substantially equivalent to a weak signature. The ARC-Seal >>> field proves that the originator was involved. ARC-Message-Signature >>> is expected to be broken by forwarders. ARC-Authentication-Results may >>> contain just an auth stanza, with a possibly redacted authenticated >>> identity. >> >> Doesn't the i=1 ARC set also prove the originator was involved? No, it doesn't. Could you say why not? It seems to me the i=1 ARC set is validating the message authentication provided by the originator. That seems to qualify to me as "involved" on the part of the originator. MH: Is it not possible for i=1 ARC set to forge the “validation” of the message authentication purportedly provided by the purported originator? > Yes, AS[1] testifies to the Authenticated-Results of receiving the message > from the originator. That only proves the first receiver was involved. A final receiver may trust its results or not. What is the first receiver reporting if not the authentication claims made by the originator? MH: The first receiver is asserting authentication claims by the purported originator. That is not the same thing as validating (verifiable) authentication claims by the originator. Confused, -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
