I-D Action:draft-otis-auth-header-appeal-00.txt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

A New Internet-Draft is available from the on-line Internet-Drafts directories.

	Title           : Authentication-Results Header Field Appeal
	Author(s)       : D. Otis, D. Rand
	Filename        : draft-otis-auth-header-appeal-00.txt
	Pages           : 10
	Date            : 2009-02-16

The proposed [I-D.kucherawy-sender-auth-header] defines a header
field used to capture email verification results obtained at border
receptions has been approved for publication.  However, serious
deficiencies remain in its secure use and has prompted an appeal of
the publication decision.  This new header field is to convey to Mail
User Agents (MUA) and downstream processes the verification results
that are intended to augment handling decisions and message
annotations that might be made visible to recipients.  For such use,
it is crucial to include within an "authenticated-results" header, a
truly authenticated identity.

The draft acknowledges that it confuses authorization with
authentication in section 1.5.2.  This confusion has lead the draft
to incorrectly elevate the authorization of an SMTP client into the
authentication of an email-address domain.  Elevating the
*authorization* of the SMTP client into the *authentication* of an
email-address domain incorrectly assumes current email practices
adequately restrict the use of an email-address domain based upon the
originating IP address of the SMTP client.  In an era of carrier
grade NATs, virtual servers, aggregated services, and other
techniques that overload the IP address, this assumption is neither
safe nor practical.

Although the draft explicitly declares Sender-ID and SPF as the
authorization of the transmitting SMTP client, it fails to offer the
authenticated identity being trusted.  A truly authenticated identity
is essential for reputation assessments which section 4.1 indicates
should be made prior to results being revealed.  A reputation check
of a truly authenticated identifier is often a necessary step needed
to mitigate fraud and abuse.  In addition, it is unfair to attribute
fraud or abuse to the unauthenticated identifiers.  Even so, the
header offers no assurance that any reputation check has been made,
nor does it ensure that an authenticated identity, the IP address of
the SMTP client, can be determined by the MUA or downstream process.
The goal of the appeal is to ensure adequate information is available
when annotating email.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-otis-auth-header-appeal-00.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
<ftp://ftp.ietf.org/internet-drafts/draft-otis-auth-header-appeal-00.txt>
_______________________________________________

I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
[Index of Archives]     [IETF]     [IETF Discussion]     [Linux Kernel]

  Powered by Linux