Hang on a second here, I don't think anyone in the crypto world I'd
seriously worried about an atack which woud allow an attacker to find an
eficient inverse function for sha1 and I they did we would be sooo screwed
every other way it would not be funny.
I was thinking we would add boogus email addresses that have already found
their way to the lists...
-----Original Message-----
From: william(_at_)elan(_dot_)net
Sent: Wed Mar 26 14:59:08 2003
To: Kee Hinckley
Cc: Hallam-Baker, Phillip; 'Brad Templeton'; 'Asrg
(asrg(_at_)ietf(_dot_)org)'
Subject: RE: [Asrg] 5b. Opt-Out, 2nd version
We could add to the list addresses that are not actually valid - like
the striker addresses for example.
I think this is called "poison pill" and different pills can be inserted
into lists that are distributed to different parties. Then if unwanted email
appears on this email, that can be used as verification that they
decryppted entire opt-out list.
How would you validate them? And if you don't, why wouldn't some
helpful person do a dictionary attack on the opt-out list in order to
remove everyone.
Similar "poison pill" system can also work for central server that
provides authentication to get opt-out list. In this case you invent some
easily guessable email addresses but not actually use it in any email. If
somebody querries for it and gets opt-out no answer but then there are
unsolicited emails coming to it, you know who did something wrong.
----
William Leibzon
Elan Communications Inc.
william(_at_)elan(_dot_)net
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg