[mail-vet-discuss] Draft as of 9/4/2007

[Eliot Lear]

John,
>
> Anybody who picks up mail from more than one mailbox, which is a whole
> lot of people these days, is going to have to check that an AR header
> arrived via an appropriate path before believing it. Otherwise there's
> an obvious attack if one path manages AR headers and the other one
> doesn't.  Ditto people who forward an address on system A to system B,
> if A does AR and B doesn't. Once you're checking the path, it's a
> trivial amount of extra work to check another hop or two and look at
> AR's added farther away.

Wait a second!  More than one mailbox in the case you discuss means more
than one border gateway with differing sets of policies and is
inapplicable to what we're talking about here.

> If you want to strip off potentially useful AR headers, nobody can
> keep you from doing that, but don't pretend you're doing your users a
> favor when you do.


Well, it's not clear we are offering anybody any favors with this header
to begin with.  The game is likely lost by the time the message gets to
the user's desktop.  But given that we're here, you can believe that if
any sort of trust is invested in these headers by clients, then
administrators will want to limit the scope of that trust, mostly
because they'll be unable to verify the headers AND because end users to
far more stupid things than administrators.

Eliot