From: Bill Davidsen (davidsen@prodigy.com)
Date: Tue Jan 08 2002 - 08:36:20 CST
On Fri, 4 Jan 2002, Seth Breidbart wrote:
> Bill Davidsen wrote:
>
> >> The fact is that some ISPs want Sender (if present) or From (if Sender
> >> not present) to be the account that was validated in order to cause
> >> the post to be allowed to be injected.
> >
> > Then let them reject the post, instead of compromising privacy.
>
> We can't specify policy for ISPs.
I don't think we're trying to, I'm just pointing out that if their policy
is that the From: must be the same as the login name, they can reject the
post, they need not create a Sender: at all.
H O W E V E R
After thinking about the points raised, there is a case in which the
injector could know the address is invalid, and that is if it is not in
standard format, user@FQDN. In that case I could live with MAY add a
sender header, although I'm not really happy with it. It would at least
encourage people to use .invalid on the end of an address.
I'd still rather have the post rejected.
People don't necessarily have any clue that the reason they get so much
SPAM is that they have a working address in their usenet postings. I'm
still convinced that there are many people who
[... snip ...]
> > There are lots of ways to track the poster which don't involve
> > giving out personal information. That might actually violate laws in
> > some places, and certainly is the wrong direction to go in a
> > standard.
>
> Nobody is saying that the standard should recommend that. I'm saying
> that in a footnote it should warn people that some ISPs _do_ that. We
> should also deprecate that behavior.
Okay.
> He later wrote:
>
> >> I agree that Injector-Info is a better place to do it; however, that
> >> header might be included by a poster and signed, so the "breaking of a
> >> signed article" problem cannot be avoided.
> >
> > Is there a reason I don't recall for why we would allow this to be a
> > user-provided header? At all?
>
> It shouldn't be; that was a strawman argument that if a user provides
> and signs it, then the injector replacing it will break the signature.
As someone pointed out, some mailing list gateways do use Sender: to
indicate the origin of the post. I can see 'current practice' raising its
head here, perhaps justifyably in this case.
> >> To the extent that this draft is codifying existing practice, I think
> >> that including a warning in the Note is the right thing to do. If we
> >> want to say "MUST NOT" alter a Sender header, I don't have a problem
> >> with that; but we should note that a lot of existing software is
> >> non-compliant with that requirement.
> >
> > That sounds right, hopefully the software will change over a few years.
>
> Anybody else? We seem to have reached some level of agreement here.
At this point I think ">" is John Stanley...
> >>> Why shouldn't we prohibit an action that will break any future
> >>> possibility of signing articles?
> >
> >>For an incredibly small value of "any future possibility".
> >
> > If you want to call "every article" an incredibly small value, that's
> > your decision.
What we are discussing is having two items, the name of the entity doing
the POST as seen by the server (a login of some kind), and the name of
the POSTer as seen by him/her/it (person or injection software). It would
seem that there should be two placed for this, although I'm still against
having the injector provide a mailable address.
-- -bill davidsen (davidsen@prodigy.com) "The secret to procrastination is to put things off until the last possible moment - but no longer" -me