From: John Stanley (stanley@peak.org)
Date: Fri Feb 06 2004 - 12:24:34 CST
Seth Breidbart (sethb@panix.com):
>Good point. There are actually 3 cases:
>Panix's injector knows that I'm sethb@panix.com.
It knows that you can authenticate yourself as the owner of that email
address.
>It can assume that I'm _not_ postmaster@panix.com or
>BillDavidsen@panix.com (because if I were I could prove it, and I
>didn't).
No, just because you could have proven it doesn't mean it can assume
you are not either when you don't. I could prove to you that I have
a certain email address, but you cannot assume that I do have that
address just because I don't care to prove it to you. You're smack
in the middle of "I don't know" land.
>It has no idea whether I'm sethb@sethbreidbart.com.
>I can see refusing to inject in the second case;
Other than that it cannot really assume, at the level of this standard.
Or RFC, or whatever we are going to call the documents we produce. We're
dealing with generic injectors.
It can do so as site policy. The site admin can say "anyone posting with
a panix address must use their own authenticated address". But then,
it isn't "making an assumption" based just on your failure to authenticate
as postmaster, it is using the additional knowledge that site policy says
you have to do so to post using that address.
However, the standard should not imply that any injector can know that any
arbitrary address does not belong to the poster, nor should it equate an
unknown address with forgery. Additional information provided outside the
scope of this standard by site policy may refine the desired actions.