From: Seth Breidbart (sethb@panix.com)
Date: Thu Jan 03 2002 - 07:53:33 CST
>> Be warned, however, that some injecting agents which are able to
>> detect that the address does not belong to the poster may choose
>> to insert a Sender header (6.2) or some entry in an Injector-
>> Info header (6.19) which discloses the poster's true identity.
>
> This is still as unacceptable as the original text, for the same reason.
> Injecting agents are simply not capable of detecting, as a general case,
> that an email address does not belong to the connected user. Even those
> that require authentication are incapable of doing this. To imply that
> any of them CAN do this is simply and patently absurd.
[later]
>>s/are able to detect that the address does not belong/are unable to
>>detect that the address belongs/.
>
> Same problem. Nice frosting on a piece of crap does not a chocolate cake
> make.
Clearly not the "same" problem as that first paragraph, since
sometimes an injecting agent _can_ tell that the address does belong
to the poster.
>>What now is the injecting agent to do when it sees both a From and a
>>Sender, and is not convinced about either?
>
> Exactly what it knows how to do: nothing at all. It does not know the
> From: is not the sender, it does not know the Sender is not correct.
What it does now (at least, what some of them, those that force a
Sender header do) is to replace the Sender header.
> In other words, every injecting agent will always be "not convinced"
> about any From or Sender header.
That's clearly false-to-fact, given that many injecting agents now are
often "convinced" about From headers.
>> except that it MAY alter a Sender
>> header (6.2) that it perceives to be incorrect ...
>
>> Is that OK?
>
> No. No. And no. Injecting agents cannot "perceive" anything. They cannot
> know. All they can do is guess, and they should not be guessing.
No, but for the reason I gave above; substitute "does not perceive to
be correct" for "perceives to be incorrect", since the latter is
impossible in the general case while the former is sometimes the
case. (I would argue that in reality, the injecting agent usually
perceives the From header to belong to the poster, at least for
legitimate posters in the groups I read. No RFC will affect hipcrime
spew, for example, so I would argue that only legitimate posters and
their injectors should be considered.)
>>If an ISP is clear and makes a decision that its users get no ability to
>>post without their real ID,
>
> This statement makes it painfully obvious that the problem is not
> understood. What "real ID" is this ISP going to enforce?
The one it assigned to the poster. E.g. Panix knows my "real ID" to
be sethb@panix.com.
> What do you say to the ISP when someone breaks in as you and they
> claim you've been posting unacceptable articles and will be TOSsed,
> because THEIR injecting agent doesn't allow unauthenticated From:
> headers?
I'd say to look at the Path to see that the article came from
somewhere else (or their logs, if the Path was forged).
> Suppose I sign up for an ISP that says "you must post using your
> real ID in the From: header". Suppose I post using the ID
> "lurch@lurch.com". Is that my "real ID", or is that a "fake"? I
> assure you, it is quite real, and I own it. What is the ISP going to
> do?
Whatever it wants; presumably, reject the article unless you've
demonstrated to them that you own that ID.
> The first time it plays games with my "real ID" in the From:
> header, I will tell them to stop, because I am following their rules
> to the letter and they have no reason to mess with it.
Why should we be moved by a strawman argument that depends on bad
wording in some hypothetical rule?
Seth