[mail-vet-discuss] Authentication vs. Authorization
Scott Kitterman
mail-vet-discuss at kitterman.com
Fri Oct 24 09:59:02 PDT 2008
On Friday 24 October 2008 12:10, Murray S. Kucherawy wrote:
> An issue has been raised regarding the name of the proposed header
> field. Some of the methods supported by the draft are specifically
> message authorization and not authentication (e.g. SPF, Sender-ID) and
> there's a concern that this might mislead some consumers of the header
> field's contents. Do others concur, or is it not something about which
> to be concerned?
>
> Because of the existing installed base of code doing this work,
> splitting the header field into two (one for authentication and one for
> authorization) seems like it would work but something easier could be done.
>
> Perhaps we could take advantage of a lexical coincidence and rename it
> to "Auth-Results", specifying in the draft that it covers both
> authentication results and authorization results. Would that work?
Both SPF and DKIM pretty well tell you the message came from an MTA that the
domain owner somehow thought well of. I don't see any point in adding the
complexity.
As you've said, the consumers of this header are expected to understand what
the results for each method mean. I think adding a distinction will cause
more confusion, not less.
Scott K
More information about the mail-vet-discuss
mailing list