I want to mention that authentication and verification have really two
parts which are possible independent or parallel pathes:
1. Verify communication between two mail servers. In my presentation
slides this is listed as highlated section which I called vulnerable SMTP
connection - connection from two sites that do not know each other. In
this case its a good idea for each mail server to be able to known and
verify who the other mail server is.
2. Verification of actual sender, i.e. you want to know that he's
allowed to use email address of the domain he's claiming to be using..
This usually would imply checking on what is listed at "From:" header,
though really it might be better to create new "Sender" header with actual
verifiable email address of the sender plus with additional info as in:
http://www.ietf.org/internet-drafts/draft-newman-msgheader-originfo-05.txt
Now #1 and #2 are different things and for example when talking about
crypto techniques - #2 is exactly what S/Mime is supposed to solve
(identity of sender) while #1 would not be solved by it and would
require more standard site certificates as with http ssl.
Now the final goal is of course to verify sender by recepient but if
all the links in between are secure (each -> in the path
Sender-}Site A->Site I->Site J->Site Z-}Recepient) and each site can
vauch for one another, then we also have achieved our goal as sender is
known to Site A (so it can vauch for it) and obviouly you Recepient knows
its mail provider Z. Deployment wise its a lot easier to have solution
deployed on thousands on email servers then have billion (is it now?)
users getting S/MIME or PGP certificates. Also looking carefully at it,
its actually enough that Site Z can verify/authenticate Site A, the
problem becomes how to deal with Site I and Site J when they are not
running mail software that can apprpriately path along this kind of
authorization.
Anyway I'm done describing general authentication/verification solution
approaches, hope it helped...
--
William Leibzon
Elan Communications Inc.
william(_at_)elan(_dot_)net
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg