-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
wayne writes:
In
<Pine(_dot_)LNX(_dot_)4(_dot_)53(_dot_)0402110051270(_dot_)29116(_at_)astray(_dot_)com>
Shevek <spf(_at_)anarres(_dot_)org> writes:
I hope that this resolves any outstanding questions[0]. I await with
trepidation the comnents of the community[1].
Ok, I *haven't* been following the SRS stuff, so please forgive me if
this has been considered.
It appears that you are using base64 to encode stuff and putting in
the local part. Base64 uses both upper and lower case characters. If
I recall correctly, the local part is supposed to be case sensitive,
but in practice, there are systems that change the case of letters in
it. IBM mainframes come to mind, but I suspect there are others.
Can you really get away with using mixed cases in practice?
As Daniel Roethlisberger points out, you really don't need a complete
MD5 hash. My gut feel is that even 16 bits of the hash would prevent
any useful spoofing of the SRS system, and I think it would be very
useful to calculate a lower bound. Then, you can use base32 encoding
or something more resilient to strange MTA manglings.
yep. I'd suggest 6 bytes of base36, that is, [a-z0-9]. That gives over 2
billion total possible combos.
- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFAKZUQQTcbUG5Y7woRAhfDAJ0WLGgmu4+6DnKvCfhtF6YpRhWX7QCfYS6u
775r4hi5ZWd7bRY0owJEqSc=
=oXHw
-----END PGP SIGNATURE-----