On 05/12/2016 06:28 AM, Murray S. Kucherawy via arc-discuss wrote:
On Wed, May 11, 2016 at 9:54 AM, Alessandro Vesely <[email protected]
<mailto:[email protected]>> wrote:
>> Doesn't the i=1 ARC set also prove the originator was involved?
No, it doesn't.
Could you say why not? It seems to me the i=1 ARC set is validating
the message authentication provided by the originator. That seems to
qualify to me as "involved" on the part of the originator.
I'd suggest not. AS[1] permits a receiver (or other assessor) to
determine with some confidence that the putative signer made such an
assertion about the putative originator, it provides no information
about the involvement of the putative originator except to the extent
that the assessor additionally trusts the assertions of the putative
signer. Decisions to trust are necessarily outside the specification.
This argument applies equivalently to AS[0] independent origination
scenarios and to AS[>0] forwarding scenarios.
> Yes, AS[1] testifies to the Authenticated-Results of receiving the message
> from the originator.
That only proves the first receiver was involved. A final receiver
may trust
its results or not.
What is the first receiver reporting if not the authentication claims
made by the originator?
They could equally be reporting fraudulent claims in order to defeat
email security systems at (a) downstream receiver(s).
- Roland
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
