I agree that conflation of auth and authz is an often made
mistake. We (Jim and I) have been very clearly
distinguishing authentication and authorization for our own
part for a very long time. In words, the three way handshake
is:
1) Sign a piece of mail
2) Verify the mail given a public key (= authenticate)
3) Check back at the KRS to see if the key is authorized
to send for that domain
The return value from the KRS really is an explicit
authorization record. This is another reason that S/MIME
isn't a very good fit: certificates only provide
authentication (ie, a name/key binding) [*].
Mike
[*] yes, attribute certs, but I'm talking about what's
really out there...
Dave Crocker writes:
On Tue, 05 Oct 2004 15:09:38 -0700, Jim Fenton wrote:
What's important in this space is not whether I'm "Jim Fenton
<fenton(_at_)cisco(_dot_)com>" as my PGP key says I am, but whether the
administrators of my domain agree that I'm authorized to send
mail using that address.
I have not noticed the matter of 'authorization' cited explicitly
in discussed in the arena of MASS.
CSV treats authentication and authorization explicitly, but
independently. Some other, non-MASS proposals mix them together.
But until now, I hadn't noticed message header/content
authentication being discussed as including email-usage
authorization.
Certainly it is a major bit of semantics, so we need to make sure
we are explicit about it and have sufficient consensus.
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker(_at_)(_dot_)(_dot_)(_dot_)
brandenburg.com