On 5/3/2010 6:49 PM, John Levine wrote: >> F2F was created in a kinder, gentler time, when address spoofing >> wasn't nearly as much of a problem as it is now. The fact that F2F >> hasn't evolved to avoid spoofing users' addresses is a problem that >> is only made more tangible by email authentication. > > I have to agree with Mike (alert the media!) that this seems to be a > solution looking for a problem. There are F2F systems all over the > net, and the amount of spam or hostile spoofage we get from them is > trivial.
But that's not really the issue. The issue is whether and how using F2F might break end-to-end trust models that are being postulated when DKIM is used. It's not whether there is likely abuse but whether the likely trust will become unenforceable, when it should be enforceable. > It might be worth noting that a well-run F2F system can put its own > signature on the mail, regardless of which of the many possible > approaches it uses to set up the To:, From:, Reply-To:, and other > visible headers. And indeed, this might be the (or, at least, an) answer to the concern (except of course for ADSP assertions made too broadly because it can't cover this scenario. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
