On 10/02/2013 04:32 PM, Greg wrote: > I agree, I apologize for the excessively negative tone. I think RL (and > unrelated) agitation affected my writing and word choice. I've taken > steps to prevent that from happening again (via magic of self-censoring > software).
Cool. :-) > I don't see why a one-time-password is necessary. Just check the headers > to verify that the send-path was the same as it was on the original request. Hm.. that's a nice idea, but I don't think it can work reliably. What if the send path changes in between? AFAIK there are legitimate reasons for that, like load balancers or weird greylisting setups. Plus: why should that part of the header be more trustworthy than any other part? Granted, at least the last IP is added by a trusted server. But doesn't that boil down to IP-based authentication? I'm not saying it's impossible, I just don't think it's as good as a one-time token. Do you know of a mailing list software implementing such a thing? Regards Markus Wanner
signature.asc
Description: OpenPGP digital signature
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography