> I gather you are saying that DKIM-base can give you an authentic > identity that signed the message, but that DKIM-base tells > you nothing > about whether that identity is authorized to be sending the message.
> I know that authentic and authorize are specific terms of art and I'm > trying to understand where DKIM stands in relation to them. > > DKIM-SSP attempts to at least partially fill that gap. Is that right? No. Authorization is used as a term of art with respect to a controlled resource. The ability to inject mail into the Internet is not a control point. The control point is at the receiver side. The correct terms of art here are policy and/or credentials. The policy statement may contain a description of what legitimate email sent from the domain should look like. It is really an extension of a certificate. "By these properties shall ye know genuine email from me'. We are firmly in the authentication domain here. It is compatible with existing uses of the terms to think of the SSP entry as policy or as a form of credential. Calling it authorization leads to confusion. Only the control point gets to decide on authorization policy. The control point here is the email receiver. If we are not careful we will end up going into the rathole the SPF folk are still in where they are debating how the sender will tell the receiver how to configure their spam filter... _______________________________________________ ietf-dkim mailing list http://dkim.org
