[Mailman-Developers] 2.1.8 documentation mismatch
Brad Knowles
brad at stop.mail-abuse.org
Thu Jun 8 20:20:20 CEST 2006
At 3:26 PM +0100 2006-06-08, Ian Eiloart wrote:
>> where "sender-pw" is associated with the (claimed) From-address. This is
>> different from, but complementary to, "Approved: list-pw".
>
> That's neither approval nor authorisation, it's authentication - proving
> that the person who used the email address also knew the password
> associated with it. It's far better to insist on authenticated SMTP for ALL
> message submission.
For the application that David is looking at, "Authorized" would
probably be the most appropriate term.
> I've had a look through that thread, and I'm not sure what you're trying to
> achieve. Generally, there are two aspects to deciding whether someone can
> post to a list: "authorisation" and "authentication".
David is looking for a way to do a per-sender way of using the
existing "Approved:" mechanism, without having to share the list
password across a large number of senders. Each user would get their
own password that would achieve the same result.
But otherwise, there should be no additional security exposure,
and no change to the security threat model.
> Passwords are usually used for both, but it's far better to separate the
> functions. Knowledge of a personal password serves to authenticate you, but
> not to authorise you. Knowledge of a shared password is sometimes used for
> authorisation, but can't be used for authentication. Even for
> authorisation, passwords are extremely weak.
This is a debate best reserved for discussing the entire
"Approved:" mechanism as a whole, as opposed to something that David
should have to try to fix as a part of the extension work that he is
looking at.
There are lots of deeper technical and architectural details here
that need to be addressed, and I think that's more appropriate to ask
Barry, Tokio, and Mark to look into those issues as opposed to David.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
LOPSA member since December 2005. See <http://www.lopsa.org/>.
More information about the Mailman-Developers
mailing list