I think that the proposals listed below are a good stab at the question
of how one derives the identity, but I think it still skips the step of
what the specific identity is that needs to be authorized. Given the
proposed scope of this group - to verify that an MTA is authorized to
send mail - the identity we need to validate would seem to be that of
the sending MTA. Depending on which of the approaches we take, once we
obtain the identity of the sending MTA, we can make additional assertsions:
- The MTA with this identity is authorized to send mail (of any sort)
- The MTA with this identity is authorized to send mail on behalf of
users at a specified domain
But this latter choice would seem to be more of a policy question
rather than the identity question.
-Edwin Aoki
-Chief Architect, America Online
Hadmut Danisch wrote:
On Tue, Mar 09, 2004 at 10:04:53AM -0800, Ted Hardie wrote:
"What *identity* is it that needs to be authorized".
At a first glance I thought pretty good question.
At a second glance I thought ambiguous question (or maybe my
english is not good enough).
What does *identity* mean? Whom to authorize or the mail address
someone needs to be authorized to use?
In case of the "whom":
- IPv4 address of SMTP peer
- IPv6 address of SMTP peer
- Any IPv4 wrap into IPv6 address?
- Certificate contents if SMTP over TLS?
- Phone number when using mobile in connect mode
- MAC address?
- Cryptographic challenge-response?
regards
Hadmut