ietf-smtp
[Top] [All Lists]

Re: remote signing, was BATV pseudo-Last Call

2008-05-20 19:52:17

The problem with that is in order to solve your problem you're asking a lot of people to make some fairly pervasive changes in how they perform address comparisons.

I agree with you that it's unlikely that people who key stuff on bounce addresses* will ever do anything other than a straight string comparison.

That's why I'm taking the timestamp out, so the BATV version of an address doesn't change and the string comparisons continue to work. Yeah, you lose replay protection, but I think the merits of the tradeoff between a largely hypothetical threat and known collateral damage are obvious.

Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
"I dropped the toothpaste", said Tom, crestfallenly.

* - disregarding, for the moment, the questions about whether that's a good idea in the long run independent of BATV

<Prev in Thread] Current Thread [Next in Thread>