http://bugzilla.spamassassin.org/show_bug.cgi?id=4550
------- Additional Comments From [EMAIL PROTECTED] 2005-08-29 11:38 ------- There's a relatively new feature that has been added to the TLS standard by the IETF and that is implemented in OpenSSL called TLS-PSK. I want to mention it here so the idea doesn't get lost. It may be a good way to do this. Here is a brief comment about it quoted from a cryptography expert who was talking about it on a mailing list I subscribe to. Google to get full context from the mailing list archive if you are curious. Peter Gutmann wrote: > TLS-PSK fixes this problem by providing mutual authentication of client and > server as part of the key exchange. Both sides demonstrate proof-of- > possession of the password (without actually communicating the password), if > either side fails to do this then the TLS handshake fails. If we use TLS-PSK for the SSL spamc/spamd connection, we get the secure authentication all taken care of with a standards-based protocol. I do need to read more about it to find out if it is indeed practical to use it with a separate password for each user in many-users environment. I don't yet know how OpenSSL deals with storing the various client passwords on the server. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
