I don't believe the scope of this working group covers individual
identity, although some of the proposals within it do cover the notion
of domain identity (e.g., domain name, not IP address). That's why I
believe that there is a single identity (the IP address), that can map
to one or more policies.
Policies that soley list which IP addresses are authorized to send mail
need worry only about the identity which is the sending MTA's email
address. Policies which go a step further and try to assert that mail
from a given IP address is being sent on behalf of a particular domain
need to worry about two pieces of information: the identity for
authentication (IP address) and an identity for authorization (that IP
address' mapping to a domain contained within the sender's email
address). Of course in this scenario, this in turn leads to the
question of which email address you're referring to: envelope address,
From line, etc,
Cheers,
-Edwin Aoki
-Chief Architect, America Online
Hadmut Danisch wrote:
On Tue, Mar 09, 2004 at 01:35:07PM -0600, Gordon Fecyk wrote:
"What *identity* is it that needs to be authorized".
First off I understood the problem statement was about authentication, not
authorization. There's a difference: authentication is who you are or who
you represent, authorization is what you're allowed to do. In SMTP I'd still
want everyone to be allowed to send me mail, I just want to know who they are
or who they represent first.
Exactly, authentication is about who you are (here: IP address),
and authorization is what you're allowed to do (here: use e-mail
address).
But many people use "identity" for the e-mail address.
So my question was whether he was talking about the IP address
or the e-mail address when talking about "identity".
regards
Hadmut