ietf-mxcomp
[Top] [All Lists]

Re: Authentication and Authorization

2004-03-11 14:00:44

At 12:20 PM -0800 03/11/2004, Dave Crocker wrote:
Ted,


TH> I believe the point we're trying to reach is:

TH> "* The MTA from which my MTA received this message is listed as being
TH> allowed to send mail on behalf of the domain listed in the message
TH> (or not)."

"domain listed in the message"  could mean the RFC2822 From, RFC2822
Sender, the SMTP Mail-From, or possibly even the SMTP EHLO.

Beyond "listed in the message" is being authorized by the containing
service provider to act as a client MTA.

(I'll leave out RFC2822 Reply-To, since I do not think anyone considers
it a viable example.)

These involve very different identity roles.


I agree.  Which one is picked is a very important choice, and one aspect
of that choice is how closely we can tie each identity to the MTA and to the zone
maintainer.  I did not go into in that message, since the focus
was on "publish a permitted set description, check a record" vs. "publish a record,
check the asserted permissions", but it clearly is a critical element
to get right.
                regards,
                                Ted Hardie