-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julian Mehnle wrote:
The reason for the problem we're debating is that SPF can only authorize
_groups_ of people to use a certain domain name, or, that SPF can only
authenticate the use of a certain domain name by _groups_ of people.
The reason is NOT that there would be a meaningful difference between...
| entity X is authorized to use the identity Y
...and...
| the use of identity Y by entity X is authentic
There isn't.
(I'm not saying there is no difference between the concepts of "authori-
zation" and "authentication". There _is_ a difference, in the context
of verifying identities (of whatever granularity) it is roughly the same
as that between "write" and "read".)
To build upon that: If everybody thinks that only crypto solutions or
solutions that work with a granularity of individuals can assert authen-
ticity, then why is it that issuers of asymmetric crypto certificates are
called "certification authorities"?
It is because authenticity is always defined by authorities.
Domain owners who use SPF are authorities defining which uses of their
domain shall be considered authentic by receivers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCn3dJwL7PKlBZWjsRAot4AJ41LyIK1WqiZwwLky5Ng10xOEn5lACdH16P
x70PCnpd4s5VPcnlRTF+T3o=
=L0h+
-----END PGP SIGNATURE-----