On Jul 28, 2006, at 3:35 PM, Dave Crocker wrote:
Mark Delany wrote:
How do you then decide which policies to check? Does this mean
that you need to check every address corresponding to a From,
Sender, Resent-from, Resent-sender, 2821 envelope-from, and List-
id, ...
Right. The "Which I" problem.
Indeed. I suspect the challenge, here, is to decide which *few*,
real threats are serious enough to warrant a solution.
By contrast, an exhaustive exercise to think of every possible
scenario that we might feel like covering seems like a good way to
a) reduce the overall relevance of the work, and b) make the
mechanism big enough and complex enough to be difficult to
implement properly.
There needs to be a strategy to limit the number of signature
verifications and identities checked, or the verifications and
lookups themselves may create a threat.
Originator Address (OA) (2822.From(s))
Current Address (CA) (2822.Resent-Sender-> Resent-From(s)-> Sender-> OA)
Limiting the effort to the OA seems appropriate. Is there a
significant threat related to CA spoofing?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
