mail-vet-discuss
[Top] [All Lists]

Re: [mail-vet-discuss] Auto-configuration

2008-10-09 19:21:35
On Thu, 09 Oct 2008 15:59:31 -0700 "Murray S. Kucherawy" 
<msk(_at_)sendmail(_dot_)com> 
wrote:
Murray S. Kucherawy wrote:
What about LDAP?
  

Maybe we should add a subsection to Security Considerations which covers 
this, something like:

MUAs and filters wishing to make use of the value of this header field 
will need to know what authserv-id token(s) will be present in header 
fields that should be trusted, i.e. those that trusted MTAs will add.  
This may have to be a configuration option for packages which will make 
use of the header field, though that is a daunting consideration at 
large installations.  It could also be auto-discovered from an [LDAP] 
server or other automatic configuration system.  Methods of conveying 
this information in an automated fashion to consumers of the header 
field are outside of the scope of this document.

I think basing a security decision based on a correct token in the 
header/message is a mistake.  I think you have to assume that a list of 
'good' tokens would leak out and be forged.  I think it needs to be 
verifiable outside the message.  It could be a list of IP addresses for 
example.

Scott K
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html 

<Prev in Thread] Current Thread [Next in Thread>