[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Mail Server Registries and Foreign Sender Authentication: A Proposal

To: Jeff Macdonald <jmacdonald@xxxxxxxxxxxx>
Subject: Re: Mail Server Registries and Foreign Sender Authentication: A Proposal
From: Douglas Otis <dotis@xxxxxxxxxxxxxx>
Date: Thu, 29 Mar 2007 11:39:33 -0700
Cc: ietf-mxcomp@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
References: <f233bc6e0703231951w6048fef0m6df4b2323e16cc45@xxxxxxxxxxxxxx> <1174958420.5962.76.camel@xxxxxxxxxxxxxxx> <f233bc6e0703280642p47ef1cf5y1921675ed2869682@xxxxxxxxxxxxxx> <>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx



On Mar 28, 2007, at 7:52 PM, Jeff Macdonald wrote:

On Wed, Mar 28, 2007 at 07:42:51AM -0600, Randy Smith wrote:
Since OpenID is built to allow authentication, among other things,against 3rd party systems, it seems like an excellent way to allowand recipient server to authenticate all users who wish to send ordeliver mail with their server.
Randy, could you use OpenID terms in describing your SMTP extension?


I don't think an SMTP extension is required.  Explaining follows:

I'm having trouble understanding how this would work from yourdescription in your blog. Adding PGP seems to add additionaloverhead for what OpenID provides (unless I'm totally mis-understanding OpenID). Here are what I think are some of therelevant terms:
MTA terms:
C:	Sending MTA	- sending message
S:	Receiving MTA	- receiving message

There are OpenID extensions proposed to allow the exchange of publickeys related to an Identity.


http://openid.net/specs/openid-service-key-discovery-1_0-01.html

There are OpenID extensions proposed for email-addresses such as:

http://www.sappenin.com/openid/ext/oet/openid-email-transform-extension-1_0.html

http://blog.phpbb.cc/2007/02/04/smtp-service-extension-for-yadis-discovery/

Now imagine an extension to DKIM, OpenPGP, or S/MIME where a querymethod is defined for OpenID.

This would allow senders to sign messages and allow recipients toverify using extensions proposed for identifying email-addressesusing OpenID.

This would not require any change to SMTP, but would require a minorchange to DKIM, OpenPGP, or S/MIME. But it gets better...

OpenID terms:
Consumer	- wants proof
End User	- wants to prove their identity to Consumer
User Agent	- End user web browser


Add:

Sender - wants proof of recipient and secure receipt for webexchanged information.

It would also be possible to forgo any public-key cryptographyrelated to the message by using standardized conventions for wherethe web exchanged information is placed with regard to a specificidentity.

Perhaps a subdomain of OMail.<email-domain> could work where thelocal-part is normalized within the first path. Sub-path componentscould function as the message-ID, for example.

When a message is exchanged using something like BURL, the identityof the sender can be deduced from the embedded URI. Nothing else isneeded as it would be expected this location would be identifiedusing SSL certs when related to commerce. It would be ratherdifficult to forge such messages when the entire message body isfound via the link. The web server could then use OpenID to ensureonly the intended recipient receives the message. When done usingHTTPS, email becomes secure without use of encrypted messages.

OpenID is already establishing whitelists to protect blogs. Thiseffort could extend to whitelisting email that is sent using suchconventions.

I is the Identity server

Say there is a new ESMTP keyword, OPENID. Here's a breakdown loosely
following your example:

C->S: connects
S->C: banner

C->S: ehlo
S->C: OPENID is returned along with whatever else

There could be extensions made in the HTTP header structures found inOMail subdomain that lists the root names of all "authorized" SMTPclients, for example. I doubt this would be needed once only BURLstyle messages are adopted as an exclusive mode of exchange. Thiswill take awhile.

C->S: OPENID <url identifier>
S: 	<becomes a Consumer>
S->I:   <fetches url identifier: Section 3.3 of OpenID spec>
S->C:   250 <identity provider URL: Section 3.5 of OpenID spec>

Possible, but this would require a lengthy adoption process. Therecould be a convention used for the SMTP client host-name that alsosignals use of an authorization field found within the OMailsubdomain. This convention might look something like:


EHLO:
 OMAIL-<host-name>.<email-domain>.

S->I: associate with identity provider? Section 4.1.x

C->I: go to identity provider? Section 4.2.x

C->S: OPENID CRED <stuff from 4.2.2.3?>
S->C: 250 Ok Credentials are OK

<continue with normal SMTP>

I may of abused SMTP extensions in this example (re: OPENID CRED).

An extension could also be used. Which ever shows the leastresistance will likely be the best choice.


-Doug

References:
- Mail Server Registries and Foreign Sender Authentication: A Proposal
  - From: Randy Smith
- Re: Mail Server Registries and Foreign Sender Authentication: A Proposal
  - From: Douglas Otis
- Re: Mail Server Registries and Foreign Sender Authentication: A Proposal
  - From: Randy Smith
- Re: Mail Server Registries and Foreign Sender Authentication: A Proposal
  - From: Jeff Macdonald

Prev by Date: Re: Mail Server Registries and Foreign Sender Authentication: A Proposal
Previous by thread: Re: Mail Server Registries and Foreign Sender Authentication: A Proposal
Next by thread: Re: Mail Server Registries and Foreign Sender Authentication: A Proposal
Index(es):
- Date
- Thread