On Wed, Nov 27, 2002 at 08:58:38AM -0800, Mark Crispin wrote: ... > The question is whether or not it is safe to exempt localhost connections. > Since localhost does not go out over the wire and hence is internal to the > local system, it arguably is not within the IETF domain to declare compliance. > I am comfortable with that argument; I am not completely sure whether we can > assume that localhost connections are a secure path.
In general terms that boils down to "how secure is local system". There are a lot more ways to threat system security from within the box, than over the network. You might even consider "local" not only loopback, but any connection where getpeername() and getsockname() returned addresses are same (port-numbers will vary, of course.) -- /Matti Aarnio <[EMAIL PROTECTED]>
