ietf-clear
[Top] [All Lists]

[ietf-clear] BATV changes to make it more flexible

2004-11-17 09:17:34
That's a bad idea: consider
attacker+VERYVERYLONGLOCALPARTSUFFIXWHICHLOOKSLIKEBATV/victim(_at_)domain

I believe the syntax was not correct, it still included "+" which I later
eliminated when simplifying syntax and removing extra special symbols symbols.
I'm correcting it below.

You missed the point: attacker+anything(_at_)domain is a valid email address:
the attacker can choose any local part suffix appended to their usual
local part with a +.

As for your example even if it was correct syntax, the possibility that
somebody would try to use syntax that looks like BATV exist in current
BATV syntax as well, i.e.
 batv=victim/VERYVERYLONGLOCALPARTSUFFIXWHICHLOOKSLIKEBATV(_at_)domain

This, however is an invalid email address since it's using BATV framing
with an invalid tag, rather than local-part suffix framing where any tag
is valid.

My point was that your altered syntax has widened the possibility of
attacks based on human factors.

The rationale is to allow multiple signatures to co-exist and allow
signatures of possibly multiple data parts, etc.

That's obvious from your original message. What I mean by a rationale
is an explanation for why is this desirable.

Tony.
-- 
f.a.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
MALIN HEBRIDES: NORTHEAST 4 OR 5 INCREASING 6. RAIN LATER. GOOD BECOMING
MODERATE.