A DNS-based lookup, perhaps in the style of ATSP as this thread is describing,
to query for not just domain-level authorization, but also potentially
user-level authorization, I think is compelling because it can:
* Give domain owners a mechanism to achieve least-privilege authorization of
3rd
I mean something different.
By "user-to-domain" I mean a DNS function which asserts:
- When the message is signed by IETF, and the From address is my
account, the message is considered authenticated by this DNS entry.
- If the message is signed by IETF but the From address is a different
> On Apr 21, 2023, at 2:14 PM, Douglas Foster
> wrote:
>
> Can it provide a user-to-domain authentication solution?
Unless I am not following you, DKIM inherently provides "user-to-domain"
authentication by hash binding the 5322 From: and To: headers.
> That is what mailing lists need a
Can it provide a user-to-domain authentication solution? That is what
mailing lists need and that is what mailbox provider clients need. These
use cases are pretty fundamental to our objective of getting mail
authenticated without causing damage
Or has everyone already decided that user-to-doma
Doug,
You might want review Doug Otis’s TPA (Third Party Authorization). It has a
higher scale method.
https://datatracker.ietf.org/doc/draft-otis-dkim-tpa-ssp/
Abstract
TPA-label is a DNS-based prefix mechanism for DKIM policy records as a means to
authorize Third-Party domains. This mec
On April 21, 2023 3:57:54 PM UTC, Alessandro Vesely wrote:
>On Fri 21/Apr/2023 05:41:03 +0200 Scott Kitterman wrote:
>> On April 20, 2023 4:18:08 PM UTC, Dotzero wrote:
>>> On Thu, Apr 20, 2023 at 11:38 AM John Levine wrote:
It appears that Alessandro Vesely said:
> IMHO at le
On Fri 21/Apr/2023 05:41:03 +0200 Scott Kitterman wrote:
On April 20, 2023 4:18:08 PM UTC, Dotzero wrote:
On Thu, Apr 20, 2023 at 11:38 AM John Levine wrote:
It appears that Alessandro Vesely said:
IMHO at least an appendix should say that if you can't do anything
better you have to rewri
Thinking on this some more, there are some tricky design risks:
- If the user-to-domain delegation scheme exposes an email address to
the world, that information may be used for unwanted purposes, particularly
increased spam volumes. Hashing provides part of that solution.
The ATSP
