Tim Dean wrote:
2. I am somewhat doubtful that access control in the recipient's user agent
is going to add a jot of Real
Security in practice. It would surely be extremely unwise to place any kind
of reliance on it. Any
Computer Scientist worth his salt is quickly going to figure how to by-pass
this check and read
everything which arrives in his computer. (And he is probably the kind of
person you didn't want to
unintentionally send a message to anyway!)
This is certainly true. I too wonder about the value of rules-based access
control in a off-the-shelf product. I suspect that the realities of commercial
implementations would make it difficult to establish any trust in recipient
RBAC processing.
Chris