Hadmut Danisch <hadmut(_at_)danisch(_dot_)de> writes:
You very often receive challenge response mails with a cookie asking
you to reply or hit a particular web page in order to verify your
mail address when subscribing to any mailing list etc.
Maybe a new protocol should support special messages for this
purpose.
You're still thinking too much like today's protocols. The correct
requirement is
- Users should have a way of authenticating themselves to a website as
a recipient of a particular email address
Challenge-response is only one way of achieving this, and it's a
rather clunky way.
Bear in mind also that in many cases, websites do this to ensure they
have the permission of a particular email address holder to send them
email before they start mailing them, so that they cannot be used in
mailbox stuffing attacks. In a permission-based system, this problem
cannot arise - the website simply can't send them email at all without
permission.
--
__ Paul Crowley
\/ o\ sig(_at_)paul(_dot_)ciphergoth(_dot_)org
/\__/ http://www.ciphergoth.org/