> - you must prove it before you can report it I don't think this is a good policy in general. Often, it's more cost-effective to fix a potential vulnerability than to investigate it in detail, construct a proof that it's real, and fix it. This is especially true in environments where changes can be deployed at moderate cost. (I know that there are others.)
To sum it up, I think it's fine to report potential problems as well, but they have to be labeled as such (so that they receive the right priority). --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]