From: Russ Allbery (rra@stanford.edu)
Date: Mon Sep 20 1999 - 11:16:52 CDT
Okay, let's tackle this in chunks.
Charles Lindsey <chl@clw.cs.man.ac.uk> writes:
> 6.2. Sender
> The Sender header specifies the mailbox of the entity which
> actually sent this article, if that entity is different from that
> given in the From header or if more than one address appears in the
> From header. This header SHOULD NOT appear in an article unless the
> sender is different from the author. This header is appropriate for
> use by automatic article posters. The content syntax makes use of
> syntax defined in [MESSFOR].
> Sender-content = mailbox
Can we please deprecate or eliminate this? Nothing on Usenet does
anything good with it, it's not useful for authentication, if it were
useful for authentication that information would be better put into some
header incorporating NNTP-Posting-Host and X-Trace information, it's
incorrectly used for replies if you include it, servers get bright ideas
like using it for authenticating cancels if you include it, and by and
large it's pure clutter.
At the *very* least, please add something along the lines of:
NOTE: Some implementations currently require the Sender header of
a cancel control message to match the Sender header of the article
being cancelled. Posting agents should be aware of this when
generating cancel messages, but use of the Sender header for any
form of authentication including this practice is deprecated by
this standard as it adds no real security and needless confusion
and complexity. Sender SHOULD be treated by all agents as a
comment and not used for any purpose.
-- Russ Allbery (rra@stanford.edu) <URL:http://www.eyrie.org/~eagle/>