On Wed, Jun 3, 2020, at 2:30 PM, Alessandro Vesely wrote: > On Wed 03/Jun/2020 19:27:52 +0200 Dave Crocker wrote: > > On 6/3/2020 10:20 AM, Alessandro Vesely wrote: > >> On Wed 03/Jun/2020 18:43:16 +0200 Dave Crocker wrote: > >>> On 6/3/2020 9:38 AM, Alessandro Vesely wrote: > >>>> MUAs should be discouraged from displaying or using Author:, unless > >>>> (verifiably) signed by a trusted domain or otherwise configured by the > >>>> user. > >>> Why? > >> That avoids the dreaded back-to-square-one path that Brandon conjectured. > >> It > >> prevents attacks based on this field, while maintaining the DMARC paradigm. > > > > The barrier you specified sounds reasonable. But it isn't. > > > > Any signature put in place when the Author: field is created is likely > > broken > > by the time it gets to the recipient. That's the entire problem that > > necessitates rewriting the From: field. > > > That depends on who creates the Author: field. I'd imagine it can be created > on rewriting From:. If it exists already at that time, one can still check > (by > ARC?) if it was signed, and, in case, sign it in turn.
I, too, was wondering whether ARC was really the only practical way to attempt this, assuming you don't think it deviates enough from ARC's purpose. Thanks, Stan _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
