Hi CEEJOE,
First let me please you to _NOT_ CC me when replying to a mail of mine
on this list.
I am, as everybody else who writes to this list, subscribed here and do
get all the mail via this list. I don't need a private carbon copy.
Second I want to ask why you do change the subject in such a strange
manner? Neither the square brackets are useful to keep an overview, nor
does any arbitrary time appended to the subject make any sence to me. Is
there a special reason why we should have an eye on this time?
On Thu, 2 Jan 2003 04:08:06 +0000
CEEJOE <[EMAIL PROTECTED]> wrote:
> A lot of theory.
That's the basics of e-mail working in practice.
> However, TheBat cant handle secure IMAP4/secure
> POP3 connections flawlessly
It can handle SSL-secured POP3 and SMTP connections.
With some SSL versions on server side there still are problems, but in
general The Bat! can handle SSL for SMTP and POP3.
The only thing it still ain't capable to do is: IMAP-over-SSL.
> That's what counts to me.
AFAIR this thread wasn't about "what counts to you", neither was my
response. My mail was about "what authentication and security mechanism
are present in The Bat! and how are they chosen to be used".
If you don't like The Bat! not fully supporting some functions you'd
need that's a different story. _I_ just wanted to clear the confusion
about CRAM-MD5 vs. SSL.
> In fact, I am not sure whether they will ever waste their time again
> on this matter.
If even _you_ call this "waste of time" they surely will not.
If IMAP and IMAP-over-SSL are implemented and working (according to what
Beta-testers and daily use brings to daylight) they wouldn't "waste"
time, IMHO ...
> TB is still the best mailer I have ever seen. It is (IMO) a
> result of brilliant programmers - but hey,
> we need this secure thing to fly flawlessly: just "click here to
> exchange certificates" and all is done "automatically".
There's a big difference between "SSL working flawless" and
"automatition of certificate exchange".
The former statement is correct: it _has_ to work flawless, _absolutely_
flawless. Into this category belongs the fixing of "unable to connect"
errors that are coused by a specific SSL-version on server side (which
works with every other MUA).
The latter postulation can open a big security hole if not handled
carefully. These "Click here once and everything is done automatically"
buttons are always possible intruders of security issues.
I don't even know how to "exchange certificates" could be done, but the
whole certificate problem has a two step solution:
Step one requires RITLabs to provide a generic interface for an
institution / system administrator to add a "Trusted Root CA" to the
appropriate AB automatically.
Either by being able to put the "Trusted Root CA" AB on a server for
a central administrator being able to modify it (and _only_ the admin
being able to do so) and import an own Root-certificate into this AB; or
by providing an automatic "post installation import" of a "Trusted Root
Certificate" into this AB. This could, just for being sure, expanded to
"Trusted Intermediate CA" AB. No user would have problems anymore
connecting to a server using a certificate signed by this Root
certficate or any derived intermediate certificate.
Step two would be to introduce a new dialog box:
,-------------[ ]
| "Accept this self signed certificate?"
|
| Fingerprint: XXXXXXX
| Please compare the fingerprint with information the servers
| administrator provided to the used certificate to make sure this is
| the correct server
|
| [ ] Always accept (import to "Trusted Root CA")
| <Details> <OK> <Cancel>
`-------------
Which pops up if a connection is established and the used certificate is
a self singed not yet in "Trusted Root CA" AB.
<Details> could reveal more details about the certificate for the user
being able to compare this with information provided e.g. on a web site,
to make sure there's no "man in the middle" attack.
All this are semi-automatic solutions, but from a "Security POV" this
should be preferred over one of these "Click here once to do it all
without you even knowing _what_ is done" buttons.
But all this stuff wasn't topic of this thread and therefore should be
discussed in a different one. Even better it should be discussed on
TBTECH or TBBETA, it's nothing that's yet implemented and therefore
these basic discussion of possible solutions is not a problem of "The
Bat! Users" but a "How to improve future use?" problem.
> [Original message, 31/12/2002, 21:39]
>
> Peter Palmreuther <[EMAIL PROTECTED]> wrote:
>
> PP> 1.) The Bat! uses the authentication method it is configured
> PP> to us ...
Three quesions still left:
1.) Why did you quote this paragraph of my mail? I can't see the
correlation to your response.
2.) Why did you quote if _below_ your response? If you refer to it in
your post it's more wise to quote it at top, if you don't refer to
it it should be left out to avoid confusion.
3.) Is there a special reason for you not making use of a so called
"signature delimiter", which contains of <dash><dash><space><enter>
starting a lines beginning, as propagandized in TBUDL welcome
message?
--
Best regards
Peter
________________________________________________
Current version is 1.62 | "Using TBUDL" information:
http://www.silverstones.com/thebat/TBUDLInfo.html
