mail-vet-discuss
[Top] [All Lists]

Re: [mail-vet-discuss] Authentication vs. Authorization

2008-10-30 08:09:16
On Fri, 24 Oct 2008 17:10:14 +0100, Murray S. Kucherawy 
<msk(_at_)sendmail(_dot_)com>  
wrote:

An issue has been raised regarding the name of the proposed header
field.  Some of the methods supported by the draft are specifically
message authorization and not authentication (e.g. SPF, Sender-ID) and
there's a concern that this might mislead some consumers of the header
field's contents.  Do others concur, or is it not something about which
to be concerned?

Having read all of this discussion, I conclude that "Authentication" is  
actually the *correct* term for what this header does.

"Authentication" is a statement of assurance about some particular aspect  
of the provenance of a message.

"This is an authentic Ebay message"
"It is authenticated that this message came from an Ebay IP address"
"It is authenticated that this message passed through X during transit"
"It is authenticated that such and such a header was added by X"

All these are saying different things about the provenance of the message.  
The only thing they have in common is that the statement being made has  
been verified by some technical means.

None of them says *anything* about "authorization" (though that may be  
implied by secondary information available from elsewhere, such as ADSP  
records).

So the name of the header is correct. Adding further parameters to it  
might or might not be appropriate (for example a parameter that indicated  
some associated ADSP status, to save the recipient from looking it up  
again).

Perhaps we could take advantage of a lexical coincidence and rename it
to "Auth-Results", specifying in the draft that it covers both
authentication results and authorization results.  Would that work?

No, because that introduced "Author" into the possible  
(mis-)interpretations :-(.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html 

<Prev in Thread] Current Thread [Next in Thread>