Re: [EAI] draft-leiba-5322upd-from-group discussion

Barry Leiba <barryleiba@computer.org> Wed, 11 July 2012 19:02 UTC

Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: ima@ietfa.amsl.com
Delivered-To: ima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CB1B11E8101 for <ima@ietfa.amsl.com>; Wed, 11 Jul 2012 12:02:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.883
X-Spam-Level:
X-Spam-Status: No, score=-102.883 tagged_above=-999 required=5 tests=[AWL=0.095, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iKPZJnKgSOQP for <ima@ietfa.amsl.com>; Wed, 11 Jul 2012 12:01:59 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 6FF7E11E809B for <ima@ietf.org>; Wed, 11 Jul 2012 12:01:59 -0700 (PDT)
Received: by lbbgo11 with SMTP id go11so2291714lbb.31 for <ima@ietf.org>; Wed, 11 Jul 2012 12:02:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=dCeN3/okJ48MKO2D4ApnuzLFiwNw4T9QsgFcJZmz2Sc=; b=PJxKO3Z87Tiv0gsDm/rnweltYcIhMPpasyI/zLwdwXVOBLVSSxcYfd/73MNSYzFyEi 1OBmK2uswnLo/+gENaVuADrRjgs7uYFzEftmVH6sXxbu9+ymo4Uqk7dkXSVVUrD2rjz0 VOyuegE8yx0oEpY0QINTfjU4O3vrwyyCxnsthOg6t8ClIuGkQfvcMiGu5gDrGGqK1Okd ELw5F4unz4XHondXlYQ8/X91nPG0/BiHgJvytB1EnWXRQCQ7QLVbl4h2hyE2wYPcKwSy 9sUr2C7/g/t81dK10W8Ui6pzMJv1DnKdiFRRjZjqwDPOGBSChSEOMzRS8R7xoQl/UJu2 UY8g==
MIME-Version: 1.0
Received: by 10.112.36.130 with SMTP id q2mr22008006lbj.44.1342033349560; Wed, 11 Jul 2012 12:02:29 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.112.17.133 with HTTP; Wed, 11 Jul 2012 12:02:29 -0700 (PDT)
In-Reply-To: <01OHMFVC3IY00006TF@mauve.mrochek.com>
References: <CALaySJ+A-zpeQx09V7i-8o6aZNNvZKDQu0btSEisP87jJun1Gg@mail.gmail.com> <01OHMFVC3IY00006TF@mauve.mrochek.com>
Date: Wed, 11 Jul 2012 15:02:29 -0400
X-Google-Sender-Auth: Ao3te2UCwO24dZgrvC2lqexQfI8
Message-ID: <CAC4RtVDXMuU+ogDwCzMoGBs2shPZFgmFbM2fOHaV83VdNhCNnQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: ned+ima@mrochek.com
Content-Type: text/plain; charset="ISO-8859-1"
Cc: ima@ietf.org
Subject: Re: [EAI] draft-leiba-5322upd-from-group discussion
X-BeenThere: ima@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "EAI \(Email Address Internationalization\)" <ima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ima>, <mailto:ima-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ima>
List-Post: <mailto:ima@ietf.org>
List-Help: <mailto:ima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ima>, <mailto:ima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2012 19:02:00 -0000

>>    If the from field contains more than one address in the address-list,
>>    then the sender field, containing the field name "Sender" and a
>>    single mailbox specification, MUST appear in the message.
>
>> I don't believe that we plan to use the "Sender" field in the cases
>> where we'll use group syntax in "From", so that MUST can't stay.
>
> Then I guess I'm confused. The cases I'm familiar with in EAI at least involve
> constructing empty groups. The text says "more than one", not "anything
> other than one", so the MUST would not be violated.
>
> If there's a use-case for creating a From: field using a group that
> ends up containing multiple addreseses, I'd like to know what it is so I can
> evaluate whether it warrants overrding the MUST.

Hm, good point.  The text in question was written with the idea of
"from" being mailboxes, and it's not clear that the sender always
knows how groups will expand.

But now that you say this, I think we can consider that a "group" is a
single "address" (as opposed to a multi-address list), and so we can
leave that paragraph as is, with the MUST.  And so I don't think this
is a problem.  Does anyone think otherwise?

>> Please also review the Security Considerations, and make sure I got that
>> right.
>
> The one I don't see is possible exploits involving different clients handling
> of something that used to not be allowed.

Good point; I'll craft something for that and post an updated draft.

b