From: John Stanley (stanley@peak.org)
Date: Wed Jun 05 2002 - 12:54:50 CDT
Henry Spencer (henry@spsystems.net):
>Moreover, I actually paid attention to Charles's last-call
>deadline for comments.
That's nice for you. You might notice that I replied to something you
sent. It's a bit disengenuous to imply that your comments cannot be
replied to because you made them so close to the end of the artificially
created "last-call" deadline. And I notice that you did not chastise
anyone else you are currently in discussion with about this.
> How so? The draft does not define "address",
The draft is written in English (or english, for those who wish to whine
about spelling or capitalization).
>... a distinction between an "address" and a "valid address".
So, tell me, for whom is "joe@bite.me.you.damn.spammers" an address? It's
not an address. It goes nowhere. And your point is still moot because the
reader isn't necessarily going to make the nit-picky distinction you want
him to, he's going to see "address" and assume it has the standard meaning
of "email address for someone". He isn't going to look at
8#*!3@f.jg3.852.jfdksa and say "that's an address", he's going to call it
line noise.
> ...Whether or not
> a valid address can subsequently be extracted from such an
> address falls outside the scope of this standard (though it
> would be pointless to use a disguise so easily penetrable).
Yes, a clear admission that we know it will happen, and yet nobody says
"don't do it", they say "it's not our fault if it happens."
>I see nothing here that specifically requires changing, although the
>chance of other careless readers
I am not a "careless reader", Henry, and your use of insult does not help
your argument.
> I think you are reading too much into an unintentional quirk of wording,
This is an internet draft standard. It should not have "quirks of
wording". If it does not say what it is supposed to, it should be fixed.
It isn't as if this group hasn't had plenty of time to fix this problem.
This sudden desire on your part to cut off debate because Charles says so
doesn't change the fact that this "quirk of wording" has been in the draft
for a long time and was pointed out a long time ago.
> The standard is primarily addressed to implementors, not users.
The standard applies to users, too.
>but then -- in an
>annotation for that very same section -- warns that the intent might be
>defeated by a feature which is sometimes desirable for other reasons.
Who is reading too much into these "quirks of wording" now? I see nothing
in the note that says that overriding the user's explicit choice to hide
his spammable email address by putting in a guess at a spammable address
for him is "sometimes desireable". In fact, I cannot think of one reason
it would ever be desirable (and nobody has presented one here). All I see
is a statement that the injecting agent may insert the data for him. We've
already seen too much discussion about how tracing headers don't need to
contain actual user data to be confused into thinking that they must
contain it, or are you?
>How is my *software* supposed to determine that?
I don't care how your software determines that. Your software doesn't need
to determine that. And your software won't be "glancing" at the contents
of the From header, it will either (erroniously) attempt to process it for
some unknown and unnecessary reason, or it will simply pass it on.
I've give you a free clue, though. When you do a DNS lookup on the domain
"bite.me.you.damn.spammers", the result might be an indication whether or
not that address is valid.
>One can attempt
>to legislate that only "obvious" mangling be used, but this ends up being
>a great deal more complex than a simple requirement that ".invalid" be
>appended.
The issue is not the suggestion (if it were a requirement you can bet that
1) I'd be a lot more vocal about it than I am, 2) it would be routinely
ignored, and 3) the draft would face a serious challenge as not
documenting current practice) that .invalid be appended, it is the actions
of the injecting agent when it sees .invalid or any other content that it
cannot determine is the entity that posted the article.
>And what about the terser jerk who writes it "joe@bite.me", without
>considering that .me may be a valid TLD?
1) It isn't. It took me less than 15 seconds to figure that out. 2) If it
were, it is outside the scope of this discussion, since we aren't talking
about forged addresses, only munged ones.
>This depends very much on circumstances. Some organizations (e.g.
>universities) may wish to require that the poster's actual address appear
>in at least one place in the message, for practical or legal reasons.
Then they can reject any article in which the one "true" address for the
poster does not appear in the article. That leaves the choice up to the
user. Isn't that a Good Thing?
> A blanket prohibition is inappropriate.
This draft is intended to define the legal formats for news articles, and
the legal contents of specific headers and how they are used. Prohibiting
the misuse of a header is well within the scope of this draft, and when it
is necessary to make the draft internally logically consistent, a
requirement.
>We are not telling naive users anything;
We are telling all users how they should formulate the content of the From
header if they want not to reveal their spammable or other email address
for whatever reason. Yes, sir, that includes naive users as well as
seasoned ones.
>The way for a user to determine such things is
>by reading a suitable tutorial, not a standard.
And just what document do you imagine might be used as a reference for any
such tutorial? And do you think that tutorial should match this draft or
contradict it? Just what document is the user supposed to read if he wants
to learn more than the tutorial tells him?
No, sir, silently circumventing the user's explicit action is wrong, and
should be clearly identified as such in this draft. Don't be confused into
thinking that this means that every injector must accept every article
that obeys the format defined in this draft; I'm sure that you don't need
reminding that injectors may reject articles based on any policy the site
wants to implement, even one as ludicrous as "you must use a spammable
address in every article you post so our mail servers can be beaten even
further into the ground processing the resulting spam". But site policy is
not what this draft deals with, it deals with formats and definitions of
headers. Sites do not get to play with those willy-nilly. Prohibitng the
misuse of the Sender header, and a deliberate circumvention of a formally
defined From header content, is well within the scope of this standard.