[mail-vet-discuss] New draft for review

[John Levine]

>> Agreed.  I would like it to say something like a host SHOULD remove
>> A-R headers with names in its own domain that were applied outside its
>> trust boundary.  But it should leave A-R headers for other domains
>> alone.

>I really don't think this rises to SHOULD. Most MUA filters, for
>example, aren't terribly complicated so I'd be pretty worried as an
>admin that users using that might get confused if there were more
>than one to choose from.

Um, aren't we speculating about vaporware here?

If you're planning to use the existing text pattern matching in MUAs,
since they don't have access to a reputation database, the best you can
do is to put in whitelists for known friends and blacklists for failures
on domains like paypal.  I don't see that adding in the name of a verifier
into the pattern to match would tax MUA more than now.  On the other hand,
if we expect to upgrade the MUA to consult reputation databases, then it
can clearly do whatever you want.

>Deciding to strip it as a matter of policy seems like a pretty
>reasonable thing since it has the potential to cause grief.

As I said in my previous message, stripping other people's A-R headers
removes valuable functionality.  Is it really a good idea to do that
just because you're worried that yet-to-be-written software might
screw up?

R's,
John