On Sat, 2004-12-04 at 14:07, Stephen Pollei wrote:
On Sat, 2004-12-04 at 12:51, Dave Crocker wrote:
So you are trying to create an audit trail of validations?
Why not simply add this to a Received header?
That's where we put audit information.
Some people have suggested Authentication-Results instead.
http://ietfreport.isoc.org/ids/draft-kucherawy-sender-auth-header-00.txt
This auth-header draft is attempting to solve a different problem. It
is a header intended to convey a level of path registration
authorization as it passes through the Internet. This header can not be
trusted and is therefore almost worthless. :(
The verification header is to introduce the accountable entity that
permit authentication. Authentication is either completed or not.
There could also be an indication of being not being authorized, but
that message would have been rejected and thus there should be no reason
to note this case. I don't know the value of saying something went
wrong when trying to do a lookup, as I would expect this to result in a
TempFail. There are no valid halfway values.
The entity may not be known once a signature is removed. The concept
was to isolate this information to be from a trusted domain (MDA). In
the case where a message is reissued from this domain, then relabeling
this header and having it included within the domain's signature, the
final recipient would obtain useful information. This could be useful
for evaluating messages sent through a mailing list that sign messages,
as example. If the recipient trusts information obtained from the
mailing list, then tracking the source of a problem is made easier with
this pass-through header (when signed). Should someone attempt to
perpetrate a hoax, the needed information to track this would be
retained within the pass-through version of the header.
-Doug