spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Is SPF Authenication or Authorization?

2004-09-21 10:16:43
from [Hallam-Baker, Phillip] [Permanent Link] 
It is quite simple, there is always an implicit issue of
authorization when almost any authentication credential
is issued. If I give you a username and password to access
my machine then that is BOTH an authentication credential 
AND implies the existence of at least one authorization
record since it is not very likely that I would bother to 
create an authentication record if I was not going to let
you do anything on the machine ever.

The point about authentication records is that they allow
the subject of the statement to be identified, there may
be other inferences that may be drawn in addition but those
are usually considered secondary.

So from the traditional security world point of view it
would be accurate to call MARID records authentication or
authentication and authorization records, but calling them
authorization records alone is misleading.



From the point of view of the reader of the records the

authorization information is implicit and in any case
from the wrong perspective. Jus t because spamsalot.com
has authorized a server to send email does not mean that
I have authorized them to do so 





-----Original Message-----
From: Meng Weng Wong [mailto:mengwong(_at_)dumbo(_dot_)pobox(_dot_)com]
Sent: Tuesday, September 21, 2004 12:08 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] Is SPF Authenication or Authorization?


On Tue, Sep 21, 2004 at 03:13:30PM +0000, Mark wrote:
| >
| >A receiving MTA checks SPF in order to authenticate the 
sending MTA.
| >
| >If the check passes, the receiving MTA can use this authentication
| >data point as part of its authorization algorithm.
| 
| Wrong. SPF *authorizes" a relay. It does not authenticate anything.
| 

http://www.imc.org/ietf-mxcomp/mail-archive/msg00164.html

  I think the confusion between "authentication" and
  "authorization" arises from perspective.

  From the sender domain's point of view, the SMTP transaction
  is authorized or unauthorized.

  From the receiver's point of view, the sender is
  authenticated or unauthenticated.

  To the tall, the average man is short.

  To the short, the average man is tall.

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in 
Atlanta features SPF and Sender ID.
To unsubscribe, change your address, or temporarily 
deactivate your subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Article on Microsoft patents and Caller ID, william(at)elan.net
Next by Date:  Re: Is SPF Authenication or Authorization?, Dave Crocker
Previous by Thread:  Re: Is SPF Authenication or Authorization?, Dave Crocker
Next by Thread:  SPF, SRS, and forwarding, Steve Meyers
Indexes:  [Date] [Thread] [Top] [All Lists]