On Monday 16 August 2010 20:25:16 Charles Lindsey wrote: > On Sun, 15 Aug 2010 04:50:13 +0100, Daniel Black > > <[email protected]> wrote: > > If users are to place value in From headers as MUAs display and ADSP > > tries to > > enforce then manguling From headers is adds complexity to the > > interpretion of > > the header field by to the end user. > > If the original was > From: Joe Doe <[email protected]> > and a recipient sees it as > From: Joe Doe <joe%[email protected]> > then he will still have a pretty clear idea that it originated from Joe > Doe, and may even be able to correctly guess Joe's original email address > even if he is unfamiliar with the percent-hack.
I'm trying to get the same goal by recommending adding some non-artisicly specified form of a "list: mlm.example" display so its more evident to the user without percentage hacks. Current users are left out but a clearer interpration in the future is the tradeoff in values I'm making. > > ANNEX A - MUA Considerations > > > > A MUA could implement the following features to reduce the need for > > signature > > modifications: > > * Display of the List-ID header field is used to be displayed beside > > where a > > subject header field is displayed. > > * functionality to create a filter based on based on the List-ID header > > field. > > I agree it would be a Good Thing if MUAs routinely displayed some of the > List-* headers as a default feature. > > But you seem to be suggesting that an MUA should be setup to accept > mesages with a List-Id plus a valid signature from the MLM, even from a > discardable origin. good point. Should verifiers and MUAs do this check? I was hoping MUAs would only need to parse Authenticated-Results rather than full DKIM/ADSP so a MUA doing ADSP lookups would enter into an offline/online MUA discussions as Hector mentioned and talks about the validity period of a DNS records. > Ignoring the fact that such emails may be already discarded by some > boundary agent, that is still an open invitation to every Phisher to add a > List-ID from some bogus list to every message he sends, and to add a valid > signature from that bogus list (and perhaps even a deliberately invalid > signature from the phished domain). > > Somehow, MUAs need to be aware of which lists the user is subscribed to if > they are going to do that sort of thing. Good idea. I'll try to word that in for the next rewrite. Alternately a MUA maintains good/bad/indifferent third party signature lists and varies the display for this. Thanks for the review Charles. Daniel _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
