ietf-822
[Top] [All Lists]

Re: return-path security

1997-08-05 14:31:27
On Tue, 5 Aug 1997, D. J. Bernstein wrote:
The mailing list hides the return path, so the cookie isn't broadcasted
to the mailing list. Of course, it's available in mail logs, but logs
aren't public on well-run hosts. It's available to sniffers, but in any
case the number of possible attackers has been drastically reduced. This
is one of the most effective low-cost security mechanisms.

If the cookie is constant, this provides a mechanism with slightly worse
security than plaintext password logins, which are discouraged by the
IESG/IAB currently.  If the cookie is something like an HMAC-SHA1 computed
over a timestamp in the message and a secret, this is pretty cool but
worthless without interoperability between the MUA and MLM (thus requiring
a standard). 

The main problem in practice is that, for many people, putting extra
information into the return path is not as trivial as you claim.

Most modern MUAs have a text box in a preferences dialog to enter the
return path/sender/default from.  This does make it trivial to generate a
single message with any given return path, but is too cumbersome to
routinely change the return path.

A subaddress standard would encourage MUA authors to allow subaddresses to
be specified on a per-message basis or, even better, get the subaddress
from the personal address book for list postings.  So I conclude that a
subaddress standard could make your technique more usable down the road. 

                - Chris


<Prev in Thread] Current Thread [Next in Thread>