From: Bill Davidsen (davidsen@prodigy.com)
Date: Fri Jan 11 2002 - 09:46:32 CST
On Thu, 10 Jan 2002, John Stanley wrote:
>
> Seth Breidbart (sethb@panix.com):
>
> > We can't specify policy for ISPs.
>
> We aren't trying to. We are trying to specify that an injector MUST NOT
> insert or change an indentity header when it cannot know the header is
> wrong.
>
> >Nobody is saying that the standard should recommend that. I'm saying
> >that in a footnote it should warn people that some ISPs _do_ that. We
> >should also deprecate that behavior.
>
> No, we should forbid that behaviour, since it will absolutely break the
> ability to sign an article.
>
> >It shouldn't be; that was a strawman argument that if a user provides
> >and signs it, then the injector replacing it will break the signature.
>
> So what? If someone signs the Injector-Info header, that is his problem.
> On the other hand, if someone inserts the correct data in both From and
> Sender headers and signs the article, the injector MUST NOT change those
> headers. Period. Even if it thinks it knows better, because it cannot
> "think" any such thing.
To be I sure I said this clearly, I am against deleting or rewriting
these headers, but I do believe that an injector MAY reject headers which
appear to be bogus (format, obvious forgery, etc).
-- -bill davidsen (davidsen@prodigy.com) "The secret to procrastination is to put things off until the last possible moment - but no longer" -me