On Mon, 29 Aug 2005, Scott Kitterman wrote:
Authentication.
OK. Well that answer threw me a bit at first, but I think I understand....
It was a poor question.
I gather you are saying that DKIM-base can give you an authentic identity
that signed the message, but that DKIM-base tells you nothing about whether
that identity is authorized to be sending the message.
That is basically correct, the authentic identity to the domain level though,
just like you have with SPF. You don't really know if whoever created the
message is authorized to have done it - all you know is that he has sent
the message through the system that is known to be a correct sending host
associated with given domain (from d= tag in DKIM).
I know that authentic and authorize are specific terms of art and I'm trying
to understand where DKIM stands in relation to them.
DKIM-SSP attempts to at least partially fill that gap. Is that right?
Despite what some people say, I don't see how DKIM-SSP along will
seriously change this. What policy record can do is to help find those
who are definitely NOT authorized (just like with SPF) with assumption
being that the rest are - which is not entirely true. What you still
need is to have record indicating that the server that did the signing
also authenticated the user and then you have some form of authorization
(otherwise you could have different user from the same domain using
somebody else's identity within same domain for example).
That is really not all that is missing, because once you have the identity
you still don't know who the user is authorized to be in the email system
(i.e. is the identity supposed to be associated with Sender, From header
field or something else) and its just something "up in the air" for some
other system to pick up and compare against the actual email message in
some undefined way.
--
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
_______________________________________________
ietf-dkim mailing list
http://dkim.org