On Thu, 09 Oct 2008 15:59:31 -0700 "Murray S. Kucherawy"
<msk(_at_)sendmail(_dot_)com>
wrote:
Murray S. Kucherawy wrote:
What about LDAP?
Maybe we should add a subsection to Security Considerations which covers
this, something like:
MUAs and filters wishing to make use of the value of this header field
will need to know what authserv-id token(s) will be present in header
fields that should be trusted, i.e. those that trusted MTAs will add.
This may have to be a configuration option for packages which will make
use of the header field, though that is a daunting consideration at
large installations. It could also be auto-discovered from an [LDAP]
server or other automatic configuration system. Methods of conveying
this information in an automated fashion to consumers of the header
field are outside of the scope of this document.
I think basing a security decision based on a correct token in the
header/message is a mistake. I think you have to assume that a list of
'good' tokens would leak out and be forged. I think it needs to be
verifiable outside the message. It could be a list of IP addresses for
example.
Scott K
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html