[Mailman-Developers] 2.1.8 documentation mismatch

Brad Knowles brad at stop.mail-abuse.org
Thu Jun 8 20:20:20 CEST 2006


At 3:26 PM +0100 2006-06-08, Ian Eiloart wrote:

>>  where "sender-pw" is associated with the (claimed) From-address.  This is
>>  different from, but complementary to, "Approved: list-pw".
>
>  That's neither approval nor authorisation, it's authentication - proving
>  that the person who used the email address also knew the password
>  associated with it. It's far better to insist on authenticated SMTP for ALL
>  message submission.

	For the application that David is looking at, "Authorized" would 
probably be the most appropriate term.

>  I've had a look through that thread, and I'm not sure what you're trying to
>  achieve. Generally, there are two aspects to deciding whether someone can
>  post to a list: "authorisation" and "authentication".

	David is looking for a way to do a per-sender way of using the 
existing "Approved:" mechanism, without having to share the list 
password across a large number of senders.  Each user would get their 
own password that would achieve the same result.

	But otherwise, there should be no additional security exposure, 
and no change to the security threat model.

>  Passwords are usually used for both, but it's far better to separate the
>  functions. Knowledge of a personal password serves to authenticate you, but
>  not to authorise you. Knowledge of a shared password is sometimes used for
>  authorisation, but can't be used for authentication. Even for
>  authorisation, passwords are extremely weak.

	This is a debate best reserved for discussing the entire 
"Approved:" mechanism as a whole, as opposed to something that David 
should have to try to fix as a part of the extension work that he is 
looking at.

	There are lots of deeper technical and architectural details here 
that need to be addressed, and I think that's more appropriate to ask 
Barry, Tokio, and Mark to look into those issues as opposed to David.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

  LOPSA member since December 2005.  See <http://www.lopsa.org/>.


More information about the Mailman-Developers mailing list