On Wed, 23 Jul 2008, Keith Moore wrote:
Tony Finch wrote:
Of course MUAs should just use the protocol's negotiation features to
auto-configure the most secure settings possible.
strongly disagree. the problem is that when you try to negotiate the most
secure settings possible, you often create a way for the negotiation to be
dumbed down by an attacker to the least secure setting possible.
Not if you store the settings that you negotiated the first time
(ssh-style "leap of faith") and allow the user to check the stored
settings.
Tony.
--
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
FISHER GERMAN BIGHT: VARIABLE 3 OR 4 BECOMING EASTERLY 4 OR 5, OCCASIONALLY 6
LATER. SLIGHT OR MODERATE. FOG PATCHES. GOOD, OCCASIONALLY VERY POOR.