At 05:05 PM 5/15/2003 +0100, Jon Kyme wrote:
> problem too. As I mentioned before, perhaps we should not store plain
> email
> addresses - but some form of checksum or something. Even though that is
> susceptible to dictionary attacks, the attacker must know what he is
> looking for. This will at least protect against people snooping at
> messages.
>
I don't think it's necc. to specify what steps an implementer needs to take
to protect/hide the data - just an recommendation that they should take
steps is probably enough. Maybe?
In order to different C/R systems to interoperate they must know whether a
plain email address is used or a checksum - leaving this to implementors
will kill interoperability. Perhaps this should be an optional feature of
the protocol?
---------------------------------------------------------------------------------------------------
Yakov Shafranovich / <research(_at_)solidmatrix(_dot_)com>
SolidMatrix Research, a division of SolidMatrix Technologies, Inc.
---------------------------------------------------------------------------------------------------
"One who watches the wind will never sow, and one who keeps his eyes on
the clouds will never reap" (Ecclesiastes 11:4)
---------------------------------------------------------------------------------------------------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg