On Wed, 2004-02-25 at 13:13 -0500, Meng Weng Wong wrote:
That opens the door to replay attacks where only the URL is changed.
To replay attacks where an URL is added before or after the mail, yes.
And in which the Date: and Message-Id: are also kept the same (I know, I
didn't explicitly write that in the mail to which I referred).
The whole _point_ is to allow URLs to be added -- that, after all, is
what most mailing lists are adding. If you want GPG, that's there too.
Local policy can dictate how much addition you'll take, and I wouldn't
suggest that the verification get any _fuzzier_ -- the original body
should be kept intact and unchanged, for example.
I think that needs to be considered acceptable, because the
_alternative_ is to break existing mailing lists etc.
It's local policy though -- if your value of 'how many extra lines do we
accept' is zero, that's entirely up to you.
--
dwmw2