I'm happier, Made comments in another thread on why I believe it opens a security hole wider rather than trying to close it.
I guess I could leave with it, when this downgrade is only done from a SMTPUTF8 compatible MTA to an ASCII MTA. I mean a SMTPUTF8 MTA MUST reject such downgrade. Let's not try to legitimize an attack vector (Friendly from having nothing to do with the author of the email). On 9/9/12 2:01 PM, "Barry Leiba" <barryle...@computer.org> wrote: >>> I will make the change. I'll also remind the EAI group that >>> there have been a couple of objections to the >>> 5322upd-from-group spec, which I have to address. I might do >>> that by scoping it down a bit with some "SHOULD NOT use" sort >>> of language to address those concerns. Have to review them >>> and see. >> >> My suggestion is to say something like the following: >... >> That could be either in Security Considerations or a separate >> section. You could even do something radical and incorporate it >> as a section called "Applicability" and use the words "LIMITED >> USE" (and, since no one seems to remember, a citation of RFC >> 2026 Section 3.3). > >I have just posted drft-leiba-5322upd-from-group-04: > http://datatracker.ietf.org/doc/draft-leiba-5322upd-from-group/ > >That changes the definition of Sender as well as From, and also adds a >new "Applicability Statement" section that has an edited version of >John's suggested text. I like the result, and I hope others do as >well. I will post something to the 5322upd-from-group thread, asking >that those who had objected look at the new text and see if they're >happy (or at least somewhat happier) with it. > >Barry >_______________________________________________ >IMA mailing list >i...@ietf.org >https://www.ietf.org/mailman/listinfo/ima
