ietf-mxcomp
[Top] [All Lists]

terminology: authentication / authorization

2004-07-08 14:14:43

On Thu, Jul 08, 2004 at 10:23:48AM -0700, Hallam-Baker, Phillip wrote:
| 
| Yes, and the MARId group continue to insist on calling a record that
| contains an authentication credential an authorization record. But
| this does not actually matter much, it just leads to fuzzy thinking.

Perhaps it depends on point of view.

From the sender's point of view, the record authorizes MTAs
to use the sender's name.

From the receiver's point of view, the record authenticates
MTAs as being permitted by the sender.

If you have been thinking in terms of one of those points of
view, try turning the chessboard around and put yourself in
the other person's shoes.

Whether the receiver then wants to authorize further
delivery is a policy matter dependent on reputation which
depends on (you guessed it) accreditation.

In the simplest case, if a receiver chooses to trust all
accreditors, their reputation system component is
essentially a "| cat |".

In the next simplest case, a receiver chooses to trust only
certain accreditors of good repute, their reputation system
is essentially a "| egrep 'acc1|acc2|acc3...' |"

| There is a big, big problem with the blackists. If you only 
| list negative reputation you end up having to measure the 
| whole world against a set of criteria that is imposed 
| unilaterally.
| 
| Allowing the sender to nominate the accreditation services that 
| are relevant allows the search for positive reputation data from
| a source trusted by the recipient can be narrowed.
| 
| This means that the market for accreditation services can contain
| both the 500,000 domain VDL that we publish and smaller lists from
| other providers with a few hundred entries.

Yes, selective whitelisting based on whatever inputs you
have is better in an AGUPI world than attempts to
whack-a-mole using blacklists.