Hi CEEJOE, First let me please you to _NOT_ CC me when replying to a mail of mine on this list. I am, as everybody else who writes to this list, subscribed here and do get all the mail via this list. I don't need a private carbon copy. Second I want to ask why you do change the subject in such a strange manner? Neither the square brackets are useful to keep an overview, nor does any arbitrary time appended to the subject make any sence to me. Is there a special reason why we should have an eye on this time?
On Thu, 2 Jan 2003 04:08:06 +0000 CEEJOE <[EMAIL PROTECTED]> wrote: > A lot of theory. That's the basics of e-mail working in practice. > However, TheBat cant handle secure IMAP4/secure > POP3 connections flawlessly It can handle SSL-secured POP3 and SMTP connections. With some SSL versions on server side there still are problems, but in general The Bat! can handle SSL for SMTP and POP3. The only thing it still ain't capable to do is: IMAP-over-SSL. > That's what counts to me. AFAIR this thread wasn't about "what counts to you", neither was my response. My mail was about "what authentication and security mechanism are present in The Bat! and how are they chosen to be used". If you don't like The Bat! not fully supporting some functions you'd need that's a different story. _I_ just wanted to clear the confusion about CRAM-MD5 vs. SSL. > In fact, I am not sure whether they will ever waste their time again > on this matter. If even _you_ call this "waste of time" they surely will not. If IMAP and IMAP-over-SSL are implemented and working (according to what Beta-testers and daily use brings to daylight) they wouldn't "waste" time, IMHO ... > TB is still the best mailer I have ever seen. It is (IMO) a > result of brilliant programmers - but hey, > we need this secure thing to fly flawlessly: just "click here to > exchange certificates" and all is done "automatically". There's a big difference between "SSL working flawless" and "automatition of certificate exchange". The former statement is correct: it _has_ to work flawless, _absolutely_ flawless. Into this category belongs the fixing of "unable to connect" errors that are coused by a specific SSL-version on server side (which works with every other MUA). The latter postulation can open a big security hole if not handled carefully. These "Click here once and everything is done automatically" buttons are always possible intruders of security issues. I don't even know how to "exchange certificates" could be done, but the whole certificate problem has a two step solution: Step one requires RITLabs to provide a generic interface for an institution / system administrator to add a "Trusted Root CA" to the appropriate AB automatically. Either by being able to put the "Trusted Root CA" AB on a server for a central administrator being able to modify it (and _only_ the admin being able to do so) and import an own Root-certificate into this AB; or by providing an automatic "post installation import" of a "Trusted Root Certificate" into this AB. This could, just for being sure, expanded to "Trusted Intermediate CA" AB. No user would have problems anymore connecting to a server using a certificate signed by this Root certficate or any derived intermediate certificate. Step two would be to introduce a new dialog box: ,-------------[ ] | "Accept this self signed certificate?" | | Fingerprint: XXXXXXX | Please compare the fingerprint with information the servers | administrator provided to the used certificate to make sure this is | the correct server | | [ ] Always accept (import to "Trusted Root CA") | <Details> <OK> <Cancel> `------------- Which pops up if a connection is established and the used certificate is a self singed not yet in "Trusted Root CA" AB. <Details> could reveal more details about the certificate for the user being able to compare this with information provided e.g. on a web site, to make sure there's no "man in the middle" attack. All this are semi-automatic solutions, but from a "Security POV" this should be preferred over one of these "Click here once to do it all without you even knowing _what_ is done" buttons. But all this stuff wasn't topic of this thread and therefore should be discussed in a different one. Even better it should be discussed on TBTECH or TBBETA, it's nothing that's yet implemented and therefore these basic discussion of possible solutions is not a problem of "The Bat! Users" but a "How to improve future use?" problem. > [Original message, 31/12/2002, 21:39] > > Peter Palmreuther <[EMAIL PROTECTED]> wrote: > > PP> 1.) The Bat! uses the authentication method it is configured > PP> to us ... Three quesions still left: 1.) Why did you quote this paragraph of my mail? I can't see the correlation to your response. 2.) Why did you quote if _below_ your response? If you refer to it in your post it's more wise to quote it at top, if you don't refer to it it should be left out to avoid confusion. 3.) Is there a special reason for you not making use of a so called "signature delimiter", which contains of <dash><dash><space><enter> starting a lines beginning, as propagandized in TBUDL welcome message? -- Best regards Peter ________________________________________________ Current version is 1.62 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html