nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Massive change in Public Cert behaviour coming soon

From: brent saner via NANOG <nanog () lists nanog org>
Date: Sun, 18 May 2025 14:20:09 -0500
On Sun, May 18, 2025, 13:30 Grant Taylor via NANOG <nanog () lists nanog org>
wrote:


On 5/18/25 12:14 PM, Tom Beecher via NANOG wrote:

"I am FOO." = Identification

"This is proof I am FOO" = Authentication


Okay.  I think that's a fair distinction.

Based on these meanings, I think that most contemporary MTAs use some
form of (weak) authenticated identity.  The most common that I see is
reverse DNS with forward DNS confirmation.  A less common form of
(client) authentication is username & password.

N.B. Only less common in that there are more MTA-to-MTA connections than
there are MUA-to-MTA connections.  --  I'm eliding illegitimate
connections like credential stuffing attacks.

I haven't seen a properly configured Internet accessible MTA not do any
form of authentication in many years.  More like multiple decades at
this point.

So I posit that Brent's "SMTP do not authenticate" statement is outdated
at best.



MTAs don't authenticate to each other.
They *usually* verify the certm but this *is not* authentication- there is
no context given to the idemtity, merely that the public key is trusted.



What is done with that authenticated identity is a down-stream and
independent of the authentication process itself.



If authentication is done on an identity provided, *that is downstream*.
TLS, by itself, is not authentication.

Encryption and the trust/validity/verification if it is *not*
authentication. (Internet-facing) MTAs do *not* allow/disallow entry of the
service based on the identity itself.
_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/QIMXQFXCN5SAR4G3JO7OUDISDSNXT6QE/
Previous By Date Next
Previous By Thread Next

Current thread: