I gather you are saying that DKIM-base can give you an authentic
identity that signed the message, but that DKIM-base tells
you nothing
about whether that identity is authorized to be sending the message.
I know that authentic and authorize are specific terms of art and I'm
trying to understand where DKIM stands in relation to them.
DKIM-SSP attempts to at least partially fill that gap. Is that right?
No.
Authorization is used as a term of art with respect to a controlled
resource. The ability to inject mail into the Internet is not a control
point. The control point is at the receiver side.
The correct terms of art here are policy and/or credentials.
The policy statement may contain a description of what legitimate email
sent from the domain should look like. It is really an extension of a
certificate. "By these properties shall ye know genuine email from me'.
We are firmly in the authentication domain here. It is compatible with
existing uses of the terms to think of the SSP entry as policy or as a
form of credential.
Calling it authorization leads to confusion. Only the control point gets
to decide on authorization policy. The control point here is the email
receiver. If we are not careful we will end up going into the rathole
the SPF folk are still in where they are debating how the sender will
tell the receiver how to configure their spam filter...
_______________________________________________
ietf-dkim mailing list
http://dkim.org