Can we live with Hadmut's definition of "authorization"?
(Keeping in mind that others will have different definitions)
Not if we want the spec to be comprehensible in the security
community. The information in the DNS is neither authorization
policy nor is it an authorization decision.
We went through all this with SAML, we had all the major single
sign on vendors represented.
This is re-inventing the terms to mean something completely
different.
We are not putting permissions data in the DNS here, we are
putting credentials data in the DNS and stating that recipients
should verify that mail messages purporting to originate from
the zone are authentic with respect to a credential.
That is a security policy according to the current usage in
the field.