On 14/Oct/10 00:00, Sam Varshavchik wrote: > Alessandro Vesely writes: >> On 13/Oct/10 00:08, Sam Varshavchik wrote: >>> Alessandro Vesely writes: >>>> A use case is for people using role addresses. One may write as, >>>> say, [email protected], but is actually authenticated as >>>> [email protected], because that's how she has configured >>>> her client. >>> >>> Yes, I understand that, but I don't see how the logging information >>> in Received: headers, which most people don't even see, makes a >>> difference here. >> >> If /some/ people sees it, by Murphy's law they will be the ones the >> poor postmaster would never have wanted to learn about such link... >> Never mind. > > Ok, so they know the login address. Ok, now what? I suppose that the > stock argument would be this is partial disclosure, exposing a > potential dictionary attack.
Yes, that's a possible worry. I have "login-aliases" --mainly used to save typing-- but I cannot prevent logging in by full address, if one wants to. Another worry is just not displaying that there is any relation between vanity.example and provider.example, or to disclose the personal address of people writing on behalf of a role address, even if it's well hidden in the header. I've been asked to modify zdkimfilter in order to sign with the "From" domain rather than with the one of the login id, for this kind of reason. >> When utf-8 will be allowed, will this token have to be checked for >> consistent encoding? Since it comes from authlib, trusting it may be >> an acceptable design choice. > > Yes, trusting will be sufficient. This code can be completely dropped, > as well as all the various bits that complain about 8-bit headers. It will still have to be known if there are non-ascii character in the header, as this prevents sending to legacy MXes. -- ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
