The report origin authentication service enables a message originator to authenticate the origin of a delivery/non-delivery report. This service counters the threat of masquerade (i.e., impersonation of the report originator). It is provided to the message originator, as well as to any MTA transferring the report, on a per-report basis using an asymmetric encryption technique. If a security label is present in the report, the service binds the security label to the report.
The reporting MTA provides this service by generating a report origin authentication check (i.e., a digital signature) and sending it in the report. The report origin authentication check may be generated when the message origin authentication check is present in the subject message. The report signature is computed as a function of the content identifier and security label of the subject message, the name of the recipient, and for:
The report origin authentication check is derived using the reporting MTA's private key. The check is validated by the originator of the subject message, and any MTA transferring the message, using the MTA's public key certificate. This certificate may be transferred in the report, or obtained by some other means.