ietf-dkim
[Top] [All Lists]

RE: [ietf-dkim] Purpose and sequencefor DKIM specificationand deployment

2005-08-30 07:49:55
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Jim Fenton

I have been struggling with the use of "authenticate" and "authorize" 
ever since I started working on IIM.  I had a different 
notion there -- 
that one authenticated the message (with the help of the 
included key) 
and then checked the authorization of the private key holder to send 
mail.  But that taxonomy doesn't really help here.

The data stored in the DNS is syntactically identical to an
authorization record. The problem is provenance. Consider the following

Aardvark.com sends to Bobble.com
        bobble.com accepts the email from Aardvark 

Spamalot.com sends to Bobble.com
        bobble.com rejects the spam

The problem with calling the record 'authorization' is that this is
exclusively the right of the recipient. Bobble.com is not using the data
sent from spamalot.com as authorization data.

In fact what Bobble.com actually does is to use the key record AND the
policy record as credentials:

A) The key record is used to authenticate signed mail
B) The policy record is used to reject unsigned mail

A and B are both answering the question 'is this message authentic'.


I have often thought that we need to invent or appropriate 
other words 
to describe what we're doing here because "authenticate" is usually 
applied to a human, not a message.  Any ideas?

The term policy is well established in the litterature. Matt Blaze used
the term in Policymaker ten years ago, I don't think that was the first
use of the term either.



_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread] Current Thread [Next in Thread>