ietf-822
[Top] [All Lists]

Re: Intent to revive "expires" header from draft-ietf-mailext-new-fields-15

2008-07-24 04:38:26

Tony Finch wrote:
On Wed, 23 Jul 2008, Keith Moore wrote:
Tony Finch wrote:

Of course MUAs should just use the protocol's negotiation features to
auto-configure the most secure settings possible.
strongly disagree.  the problem is that when you try to negotiate the most
secure settings possible, you often create a way for the negotiation to be
dumbed down by an attacker to the least secure setting possible.

Not if you store the settings that you negotiated the first time
(ssh-style "leap of faith") and allow the user to check the stored
settings.

It seems to me that this defeats the purpose as the whole point of this kind of "security negotiation" (or most of the point, anyway) is to keep the user from needing to be aware of such details.

Keith

<Prev in Thread] Current Thread [Next in Thread>