> Hm.. that's a nice idea, but I don't think it can work reliably. What if > the send path changes in between? AFAIK there are legitimate reasons for > that, like load balancers or weird greylisting setups.
You're right, I think I misunderstood you when you talked about a "one time password". I thought you were referring to something users would have to come up with. If by "one time password" you mean a server-generated token, then yes, that would be far better. That's standard practice for most mailing lists. The token is usually a unique challenge link sent back to the user, and they can either click on it or reply to the message while quoting the link in the body. Sometimes it's also a unique number in the subject line. - Greg -- Please do not email me anything that you are not comfortable also sharing with the NSA. On Oct 2, 2013, at 10:40 AM, Markus Wanner <mar...@bluegap.ch> wrote: > On 10/02/2013 04:32 PM, Greg wrote: >> I agree, I apologize for the excessively negative tone. I think RL (and >> unrelated) agitation affected my writing and word choice. I've taken >> steps to prevent that from happening again (via magic of self-censoring >> software). > > Cool. :-) > >> I don't see why a one-time-password is necessary. Just check the headers >> to verify that the send-path was the same as it was on the original request. > > Hm.. that's a nice idea, but I don't think it can work reliably. What if > the send path changes in between? AFAIK there are legitimate reasons for > that, like load balancers or weird greylisting setups. > > Plus: why should that part of the header be more trustworthy than any > other part? Granted, at least the last IP is added by a trusted server. > But doesn't that boil down to IP-based authentication? > > I'm not saying it's impossible, I just don't think it's as good as a > one-time token. Do you know of a mailing list software implementing such > a thing? > > Regards > > Markus Wanner >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
