Re: Authentication vs. Authorization
2005-05-21 02:00:12
Julian Mehnle wrote:
[...]
SPF, from a strictly technical standpoint, is a method for authorizing
(implicitly) authentic IP addresses to use a certain domain name as the
identity. This, in itself, is not equivalent to the authentication of a
domain. In order to gain real value from SPF with regard to reputation
systems, we need to somehow bridge the gap from the authorization of IP
addresses to the authentication of domain names.
The only practical and useful way to do this is to require the domain owner
to take responsibility for the cases where authorized IP addresses send
unauthentic (i.e. forged) mail, i.e. requiring them to declare full trust
in their outgoing MTAs.
[...]
But isn't an administrator, by virtue of including an MTA (by whichever
criteria they use) in their domain's SPF RR, explicitly taking an action
that communicates trust in that MTA? To put it another way, unless I
fully trusted that a given MTA would (or could) not be used to
impersonate my domain (or another apparently on my behalf) to conduct
inappropriate activities then why would I take the dangerous step of
including it in my list of trusted senders? I wouldn't, of course.
It seems quite natural and logical, then, that I must take
responsibility for the MTA's I allow in my SPF record (which makes
include a tricky proposition, IMHO, particularly across domains). I
stake some of my own reputation in the event that one of them abuses
that trust, or wasn't actually worthy of it.
Bill
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Authorize (was: For SPF Council review - PASS Definition), (continued)
- Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, Alex van den Bogaerdt
- Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, wayne
- Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, william(at)elan.net
- RE: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, Scott Kitterman
- Re: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, wayne
- Authentication vs. Authorization (was: For SPF Council review - PASS Definition), Julian Mehnle
- Re: Authentication vs. Authorization,
Bill Taroli <=
- Re: Authentication vs. Authorization, Paul Ficinski
- RE: Authentication vs. Authorization, Scott Kitterman
- Re: Authentication vs. Authorization, Paul Ficinski
- Re: Authentication vs. Authorization, Julian Mehnle
- Re: Authentication vs. Authorization, wayne
- Re: Authentication vs. Authorization, Frank Ellermann
- RE: Authentication vs. Authorization, Mark
- RE: Authentication vs. Authorization, william(at)elan.net
- RE: For SPF Council review - PASS Definition - was: People keep misunderstanding what "Pass" and "Neutral" mean, Mark
- RE: People keep misunderstanding what "Pass" and "Neutral" mean (was: Time to start rejecting on neutral?), Mark
|
|
|