ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Authentication/Verification - really two parts

2003-03-21 04:31:24
from [william] [Permanent Link] 
 I want to mention that authentication and verification have really two 
parts which are possible independent or parallel pathes:

 1. Verify communication between two mail servers. In my presentation 
slides this is listed as highlated section which I called vulnerable SMTP 
connection - connection from two sites that do not know each other. In 
this case its a good idea for each mail server to be able to known and 
verify who the other mail server is.

 2. Verification of actual sender, i.e. you want to know that he's 
allowed to use email address of the domain he's claiming to be using.. 
This usually would imply checking on what is listed at "From:" header, 
though really it might be better to create new "Sender" header with actual 
verifiable email address of the sender plus with additional info as in:
http://www.ietf.org/internet-drafts/draft-newman-msgheader-originfo-05.txt

Now #1 and #2 are different things and for example when talking about 
crypto techniques - #2 is exactly what S/Mime is supposed to solve 
(identity of sender) while #1 would not be solved by it and would
require more standard site certificates as with http ssl.

Now the final goal is of course to verify sender by recepient but if
all the links in between are secure (each -> in the path
Sender-}Site A->Site I->Site J->Site Z-}Recepient) and each site can 
vauch for one another, then we also have achieved our goal as sender is 
known to Site A (so it can vauch for it) and obviouly you Recepient knows
its mail provider Z. Deployment wise its a lot easier to have solution 
deployed on thousands on email servers then have billion (is it now?) 
users getting S/MIME or PGP certificates. Also looking carefully at it, 
its actually enough that Site Z can verify/authenticate Site A, the 
problem becomes how to deal with Site I and Site J when they are not 
running mail software that can apprpriately path along this kind of 
authorization.

Anyway I'm done describing general authentication/verification solution
approaches, hope it helped...

-- 
William Leibzon
Elan Communications Inc. 
william(_at_)elan(_dot_)net

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Asrg] Authentication/Verification - really two parts, william <=
Previous by Date:  RE: [Asrg] My Opinion regarding ietf asrg session (it went badly! ), william
Next by Date:  Re: [Asrg] A possible way to a solution?, william
Previous by Thread:  [Asrg] First few links to studies, Frank de Lange
Next by Thread:  [Asrg] As seen on /. : IBM Researcher Offers an E-Stamp Spam Solution, Frank de Lange
Indexes:  [Date] [Thread] [Top] [All Lists]