ietf-mxcomp
[Top] [All Lists]

Re: Authentication and Authorization

2004-03-11 12:55:10

On Thu, Mar 11, 2004 at 11:04:25AM -0800, Edwin Aoki wrote:

I (Edwin Aoki, aoki(_at_)aol(_dot_)net) try to send a piece of mail to (for 
example) Dave Crocker.


That's good to start an example, but that's the most simple
case only and does not cover the pathological cases.



* I, Edwin Aoki, authored (created) this message

That's clearly a matter of digital signatures. While this is 
beyond the scope of SMTP verification, the authorization record 
could contain a fingerprint of a pubkey or CA.




* I, Edwin Aoki, sent (caused to be injected into the mail stream) this 
message

That will be difficult. It's neither message authentication (because
you're not author here), nor entity authentication (because you're not 
sending MTA and communication peer). 

A solution would be to create and additional pseudo-message,
containing of MessageID, Hash Sum of body, sender, recipient address
and a digital signature, encoded e.g. in a header line.




* A machine at 1.2.3.4 is authorized to send mail
* A machine at 1.2.3.4 is authorized to send mail on behalf of AOL
  (aol.net)

What's the point in the former one? If the latter one is true for
any domain, what do you need the former for? If the latter one is 
not true for any domain, what's the use of the former?

I do not strictly object, but this needs to be defined more precisely.







I think one of the things that hangs us up is the notion that 
authorization is built into any of these proposals.  They aren't.  They 
provide a mechanism for the sending domains to list various assertions 
("Policy" below, which I think is a fine term), that receiving MTAs can 
then use to make authorization decisions.

I believe here is some confusion about the term "authorization". 
RMX and similar records are authorization statements. Why shouldn't
they be? 

Policy is the wrong term here. A policy would be to reject all
messages which fail the LMAP/RMX/... check, i.e. how to treat messages
which failed the authorization check.




But also note that there are 
two different "senders" here.  The individual who created the message 
(author) and the MTA from which any given MTA receives a message.

There are three:

- author
- transmission initiator (the one injecting into the mail network)
- sender (MTA)





I don't want to get into a semantic argument either, but we need to get 
some clarification on the terms we're using, or we're never going to be 
able to communicate this out to the world. 

We therefore should use the terms as they have been defined outside in
the world instead trying to redefine.






And receiving MTAs can make a statement that says, "we will only 
accept mail from senders with policy z."   Further, authors and receiving 
users can make other assertions/decisions (such as "I, Dave Crocker, 
will only accept mail that has a verifiable signature,") but that's out 
of scope for this group.


There is also a proposal to publish such a statement in common, prior
to receiving an MTA. Before injecting the message I could lookup and
learn that Dave is willing to accept messages with a digital 
signature only _before_ sending or even before writing the message. 

regards
Hadmut