[Top] [All Lists]

Re: Mail Server Registries and Foreign Sender Authentication: A Proposal

2007-04-02 21:23:25

On 3/28/07, Jeff Macdonald <jmacdonald(_at_)e-dialog(_dot_)com> wrote:
On Wed, Mar 28, 2007 at 07:42:51AM -0600, Randy Smith wrote:

> Since OpenID is built to allow authentication, among other things,
> against 3rd party systems, it seems like an excellent way to allow and
> recipient server to authenticate all users who wish to send or deliver
> mail with their server.

Randy, could you use OpenID terms in describing your SMTP extension?
I'm having trouble understanding how this would work from your
description in your blog. Adding PGP seems to add additional overhead
for what OpenID provides (unless I'm totally mis-understanding OpenID).
Here are what I think are some of the relevant terms:

What I was think of was using the trust features of PGP to allow the
server to make decisions based on how much the key is trusted and the
"trustiness" of other keys in the chain. If a web of trust could be
built by some other means than PGP, that's fine. It's the trust and
key signing that's important here, not the encryption.

MTA terms:
C:      Sending MTA     - sending message
S:      Receiving MTA   - receiving message

OpenID terms:
Consumer        - wants proof
End User        - wants to prove their identity to Consumer
User Agent      - End user web browser

I is the Identity server

Say there is a new ESMTP keyword, OPENID. Here's a breakdown loosely
following your example:

C->S: connects
S->C: banner

C->S: ehlo
S->C: OPENID is returned along with whatever else

C->S: OPENID <url identifier>
S:      <becomes a Consumer>
S->I:   <fetches url identifier: Section 3.3 of OpenID spec>
S->C:   250 <identity provider URL: Section 3.5 of OpenID spec>

S->I: associate with identity provider? Section 4.1.x

C->I: go to identity provider? Section 4.2.x

Honestly, I'm not sure as I'm not familiar with the details of Open
ID. I think the best way would be for the server to verify the
identity with the ID provider rather than trust the client.

C->S: OPENID CRED <stuff from>
S->C: 250 Ok Credentials are OK

<continue with normal SMTP>

I may of abused SMTP extensions in this example (re: OPENID CRED).

That's pretty close to what I was thinking.

:: Jeff Macdonald | Principal Engineer, Messaging Technologies
:: e-Dialog | jmacdonald(_at_)e-dialog(_dot_)com
:: 131 Hartwell Ave. | Lexington, MA 02421
:: v: 781-372-1922 | f: 781-863-8118

Randy Smith

<Prev in Thread] Current Thread [Next in Thread>
  • Re: Mail Server Registries and Foreign Sender Authentication: A Proposal, Randy Smith <=