On Thursday, August 26, 2004 at 1:35 PM, Doug Otis wrote about the
authentication and authorization aspects of SenderID, compared to
schemes involving EHLO.
After much thinking, I realized that our disagreements have to do with
confusions about how the two schemes treat identity, authentication and
authorization.
Sender-ID:
Identity: The identity of a sending MTA is its IP address.
Authentication: There is no authentication other than that implicit in
the TCP/IP stack. Because in practice you can't perform an SMTP
transaction without being able to receive packets destined to the IP
address, this works well. (Yes, I know about TCP/IP spoofing attacks,
but they're impractical for sending bulk e-mail.)
Authorization: The SenderID test determines whether the sending MTA is
authorized to send mail that claims to come from a particular domain.
This authorization can only be bestowed by the domain that the mail
claims to come from.
EHLO-based schemes:
Identity: The identity of a sending MTA is its EHLO name.
Authentication: Various scheme to determine whether the EHLO name that
an SMTP client sent is true.
Authorization: Depending on the scheme, there might be none.
Otherwise, there might be a scheme to determine whether the sending MTA
is authorized by its domain owner to be an SMTP client. There is no
authorization of individual messages.
The SenderID series of documents is based on an explicit decision to
pursue the first world-view; the fact that it doesn't do the second is
not a bug.
-- Jim Lyon