From: Douglas Otis [mailto:dotis(_at_)mail-abuse(_dot_)org]
On Fri, 2005-01-07 at 14:09 -0800, Hallam-Baker, Phillip wrote:
HELO validation in the style of CSV using SPF records for
data may be
a very effective and useful compliment to MASS.
A security benefit potentially derived from MASS is a
relatively strong authentication of the domain administering
access to the mail channel. Authorization schemes associated
with different identifiers such as MAILFROM or headers within
the message by filtering software compels authorization to a
diverse array of providers. As such, the entity providing
authorization may be far removed from administering the
authorized transport and potentially injured by a security
lapse well beyond their control.
Not attributing abuse to the wrong entity requires
authentication, and not just authorization, as the mail
channel does not have adequate integrity otherwise.
Authentication and authorization are orthogonal and
independent efforts. Nothing, after the fact, changes the
intent of a record. This conversation should be on the
proper reflector:
As far as the recipient is concerned SPF provides authentication data,
always has done.
The confusion of some of the group members on that topic and their inability
to understand the established terminology of the field does not change that
fact.
All authentication schemes invariably conflate authorization to some degree
since the mere existence of an authentication credential is in almost all
cases indicative of the existence of a corresponding authorization datum at
the point in time when the credential was created, otherwise why bother to
create it?
The SSL certificates sold by VeriSign and every other CA effectively
conflate authentication with authorization, that is one of the reasons that
the system works. So your claim that the two schemes 'are' orthogonal would
seem to be disproved entirely and in the light of the fact that Browser SSL
is the most successful cryptographic protocol deployed to date I don't think
the claim works in the normative sense either.
Perhaps if you had been willing to listen to what I was trying to say at the
MARID face to face rather than constantly interrupting and heckling as you
did you might be in a better position to understand these rather elementary
principles of computer security terminology.