Hello.
Scott McWhirter wrote:
Richard Dawe wrote:
What does "secure" mean? Does it mean that the mail was authenticated? Or does it mean that it came via an encrypted channel (e.g.: TLS)? Or both/either things?
Well, since it's a boolean, it should be fairly obvious that it's not authentication. Since Email::Envelope deals with things happening at SMTP time, it deals with transmission via TLS/SSL/SSH/SomeOtherVoodoo. In otherwords, if it's been delivered via an encrypted means, then it's "secure".
[snip]
I think "secure" is slightly misleading here. For instance, consider where you've accepted an opportunistic TLS connection (*) where the client provided no certificate. The client can easily spoof the MAIL FROM, since you have no idea who the client is. How is that secure?
(*) Opportunistic in the sense that the server advertised STARTTLS but did not require (enforce) it for the client, but the client used TLS anyway.
I guess what I'm getting at is that "secure" isn't this black or white. Perhaps it should be split into different levels? Or different booleans (authenticated, authorised, encrypted)?
Bye, Rich =]
-- Richard Dawe [ http://homepages.nildram.co.uk/~phekda/richdawe/ ]
"You can't evaluate a man by logic alone." -- McCoy, "I, Mudd", Star Trek
