> Hm.. that's a nice idea, but I don't think it can work reliably. What if
> the send path changes in between? AFAIK there are legitimate reasons for
> that, like load balancers or weird greylisting setups.

You're right, I think I misunderstood you when you talked about a "one time 
password". I thought you were referring to something users would have to come 
up with.

If by "one time password" you mean a server-generated token, then yes, that 
would be far better.

That's standard practice for most mailing lists. The token is usually a unique 
challenge link sent back to the user, and they can either click on it or reply 
to the message while quoting the link in the body. Sometimes it's also a unique 
number in the subject line.

- Greg

--
Please do not email me anything that you are not comfortable also sharing with 
the NSA.

On Oct 2, 2013, at 10:40 AM, Markus Wanner <mar...@bluegap.ch> wrote:

> On 10/02/2013 04:32 PM, Greg wrote:
>> I agree, I apologize for the excessively negative tone. I think RL (and
>> unrelated) agitation affected my writing and word choice. I've taken
>> steps to prevent that from happening again (via magic of self-censoring
>> software).
> 
> Cool. :-)
> 
>> I don't see why a one-time-password is necessary. Just check the headers
>> to verify that the send-path was the same as it was on the original request.
> 
> Hm.. that's a nice idea, but I don't think it can work reliably. What if
> the send path changes in between? AFAIK there are legitimate reasons for
> that, like load balancers or weird greylisting setups.
> 
> Plus: why should that part of the header be more trustworthy than any
> other part? Granted, at least the last IP is added by a trusted server.
> But doesn't that boil down to IP-based authentication?
> 
> I'm not saying it's impossible, I just don't think it's as good as a
> one-time token. Do you know of a mailing list software implementing such
> a thing?
> 
> Regards
> 
> Markus Wanner
> 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Reply via email to