mail-ng
[Top] [All Lists]

Re: Mail Cookies

2004-02-13 10:50:01

On Thu, Feb 12, 2004 at 10:52:02AM -0800, william<at>elan.net wrote:

Those "cookies" will have to be signed to be considered for serious
use.


I currently don't see formal need. As with HTTP cookies, they would not
have any standardized semantics, just be any character string.
If you need a signature, just put a signed octet string in there. 
Or use a random number. It's up to the server implementation to 
protect against malicious cookies, similar to HTTP cookies.

So on one hand, I'd say yes, of course you need some protection
(depending on what you're going to use them for).  On the other hand,
it's not a property of the cookie.  The cookie is not to be signed,
but can carry a signature on anything as it's payload.

regards
Hadmut






<Prev in Thread] Current Thread [Next in Thread>