I-D Action:draft-otis-auth-header-sec-issues-00.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title           : Authentication-Results Header Field Security Issues
	Author(s)       : D. Otis
	Filename        : draft-otis-auth-header-sec-issues-00.txt
	Pages           : 10
	Date            : 2009-01-07

The proposed [I-D.kucherawy-sender-auth-header] defines a header
field used to capture email verification results of border
receptions.  These results are then conveyed to Mail User Agents
(MUA) and downstream filters.  This header field is to augment
filtering decisions and message annotations that can be made visible
to recipients.  The annotations could affirm originating domains or
content integrity when based upon Domainkeys or DKIM results, or a
domain's authorization of a publicly transmitting SMTP client IP
address when based upon Sender-ID or SPF results, or that the SMTP
client IP address maps to a matching domain within the DNS reverse
namespace.

Although the draft acknowledges the conflation of authorization with
authentication in section 1.5.2, and explicitly declares Sender-ID
and SPF as the authorization of the transmitting SMTP client, it
still fails to offer the authenticated entity being trusted in the
exchange, the IP address of the SMTP client.  An authenticated entity
is essential for reputation assessments which section 4.1 indicates
should be made prior to results being revealed.  A reputation check
is often a necessary step to mitigate abuse and fraud.  Even so, the
header offers no assurance that any reputation check has been made,
nor does it ensure that the trusted entity, the IP address of the
SMTP client, can be determined by the MUA or downstream filter.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-otis-auth-header-sec-issues-00.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
<ftp://ftp.ietf.org/internet-drafts/draft-otis-auth-header-sec-issues-00.txt>
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux