Matthew Elvey <matthew(_at_)elvey(_dot_)com> wrote:
On 6/16/2004 9:47 AM, John Leslie sent forth electrons to convey:
Matthew Elvey <matthew(_at_)elvey(_dot_)com> wrote:
1) Just as rDNS doesn't tie an IP to a domain for our purposes, perhaps
neither does SMTP Auth.
True. SMTP AUTH does not tie to an IP address.
It does, however, authenticate that you're talking with an SMTP client
worthy of some level of trust (it gave an appropriate response to the
challenge you issued). It didn't seem a stretch to think that this might
sometimes prove it trustworthy enough to give a correct EHLO string.
It's a huge stretch. I must strenuously object.
Noted. (It really doesn't make much difference, so I won't argue.)
<snip>
2) Just as rDNS doesn't tie an IP to a domain for our purposes,
STARTTLS might not either - i.e. STARTTLS should be used to validate
the identity of the connection initiator, not the connection acceptor.
Agreed: if STARTTLS doesn't validate the initiator, it's useless for
host name authentication.
However, we realize there _will_ be cases where the SRV lookup doesn't
return the matching IP address, but local policy may recognize STARTTLS
as "sufficient authentication".
"_will_"? I'd say "might".
I'd say "will". (I didn't say it would be common.)
I expect STARTTLS will not take off.
<snip>
Noted.
I guess if either these two methods are mentioned here but not relevant
to CSV, that should be stated.
I can't quite agree they're "not relevant"; but I agree that a warning
label is appropriate. ;^)
Ok, I can live with that, grudgingly.
Thank you.
BTW, the WG versions of the CSV IDs have been submitted and approved
by Marshall. Meanwhile, they're available at:
http://www.jlc.net/MARID/CSV/
The "intro" has been rewritten: you may be happier with it now. If not,
feel free to propose actual wording to improve it.
--
John Leslie <john(_at_)jlc(_dot_)net>