Tony,
TF> On Thu, 17 Jun 2004, Dave Crocker wrote:
CSA is about authorization, not authentication.
TF> OK. But the point of using CSA as opposed to any other lookup mechanism is
TF> it gives you authn and authz in one protocol exchange.
Although that is a possible and an appealing scenario, it was
certainly not "the point" behind the CSA SRV design.
In fact, I'm expecting people to look for much stronger
authentication, at least in some cases.
TF> And the other
TF> authn mechanisms described in HNA are too unweildy for use on the scale of
TF> the Internet.
not clear. certainly something as heavyweight as client-side
authentication with TLS has not. and I remain skeptical about it, but
the security guys keep banging on that door and, at some point,
someone is likely to open it.
TF> I think that CSA is elegant and simple, but I think its specification is
TF> being WAY overdone. Three documents to describe an enhancement to forward
TF> and reverse DNS consistency checking?!
Well, it does rather more than that.
First, it does not rely on forward/reverse and, in fact, allows much
stronger alternatives for authentication.
Second, the accreditation step is entirely new and explores territory
with essentially no Internet standards history or large-scale,
distributed operation testing.
It well might turn out to be appropriate to compress the
specifications, once folks are VERY clear about the service and have
good consensus on it. However at this stage, it is proving almost
impossible to get coherent discussion of these mail-reception control
techniques, with any real clarity about the component functions.
Unless and until we get there, dividing the topics up to be almost
completely separate should aid that coherence.
TF> People will get bored with the
TF> abstract discussion of the principles of security protocol design and not
TF> bother to read as far as the bit that explains how to implement it.
That's why I like your suggested summaries of the total procedure. It
permits easy scanning to extract the core characteristics, without
having to first read all the detail.
Huh? CSA _is_ the forward DNS process. Take the EHLO domain, do a
lookup on _client._smtp.<ehlo domain> and get back the authorization
SRV.
TF> OK, but that's different from the normal A or AAAA lookup for the bare
TF> EHLO domain which HNA appears to describe. And "CSA is about
TF> authorization, not authentication."
I had not understood that you meant the SECOND forward lookup. The
first produces the CSA SRV record. And, yes, the second produces the
A+ record of the SRV target.
d/
--
Dave Crocker <mailto:dcrocker(_at_)brandenburg(_dot_)com>
Brandenburg InternetWorking <http://www.brandenburg.com>
Sunnyvale, CA USA <tel:+1.408.246.8253>, <fax:+1.866.358.5301>