mail-ng
[Top] [All Lists]

Re: Challenge Response ?

2004-02-08 09:24:13

Hadmut Danisch <hadmut(_at_)danisch(_dot_)de> writes:
You very often receive challenge response mails with a cookie asking
you to reply or hit a particular web page in order to verify your
mail address when subscribing to any mailing list etc.

Maybe a new protocol should support special messages for this
purpose.

You're still thinking too much like today's protocols.  The correct
requirement is

- Users should have a way of authenticating themselves to a website as
a recipient of a particular email address

Challenge-response is only one way of achieving this, and it's a
rather clunky way.

Bear in mind also that in many cases, websites do this to ensure they
have the permission of a particular email address holder to send them
email before they start mailing them, so that they cannot be used in
mailbox stuffing attacks.  In a permission-based system, this problem
cannot arise - the website simply can't send them email at all without
permission.
-- 
  __  Paul Crowley
\/ o\ sig(_at_)paul(_dot_)ciphergoth(_dot_)org
/\__/ http://www.ciphergoth.org/


<Prev in Thread] Current Thread [Next in Thread>