"What *identity* is it that needs to be authorized".
At a first glance I thought pretty good question.
At a second glance I thought ambiguous question (or maybe my
english is not good enough).
First off I understood the problem statement was about authentication, not
authorization. There's a difference: authentication is who you are or who
you represent, authorization is what you're allowed to do. In SMTP I'd still
want everyone to be allowed to send me mail, I just want to know who they are
or who they represent first.
This is a simplified explanation but it works. I like the KISS principle
myself. It was enough for me to know who they represent (the domain) as I
can complain to, or refuse mail from, who they represent.
What does *identity* mean?
<http://www.yourdictionary.net/identity.html>
1. identity, personal identity, individuality -- the distinct personality of
an individual regarded as a persisting entity; "you can lose your identity
when you join the army"
2. identity -- the individual characteristics by which a thing or person is
recognized or known; "geneticists only recently discovered the identity of
the gene that causes it"; "it was too dark to determine his identity"; "she
guessed the identity of his lover"
3. identity, identity element, identity operator -- an operator that leaves
unchanged the element on which it operates; "the identity under numerical
multiplication is 1"
4. identity, identicalness, indistinguishability -- exact sameness; "they
shared an identity of interests"
I guess I'm interested in the 4th definition, an identity of interests (in
this case the domain represents the interest). It simplifies the problem.
In case of the "whom":
- IPv4 address of SMTP peer
- IPv6 address of SMTP peer
- Any IPv4 wrap into IPv6 address?
- Certificate contents if SMTP over TLS?
- Phone number when using mobile in connect mode
- MAC address?
All of these could be associated with whom the sender represents (the
domain), and in some cases be associated with the sender directly.
Some of the proposals dealt with authenticating the sender directly, as well
as or instead of whom the sender represents. The only problem I have with
this is spammers can use this to obtain valid e-mail addresses, much like
address-mining through rapid RCPT TO: commands and stripping the 5xx
responses. This is why many mailers will now accept all mail for their
domain on a RCPT TO and send a NDR after the fact.
I think authenticating the domain only avoids this problem for the same
reason.
- Cryptographic challenge-response?
I won't go there - patented, for one thing.
--
PGP key (0x0AFA039E):
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>