[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tmda: Challenge-response is fundamentally broken

On Wed, Aug 27, 2003 at 04:07:58PM +0300, Kalle Kivimaa wrote:
> Mark Brown <broonie@sirena.org.uk> writes:
> > You do realise that all parts of SMTP are generally completely
> > unauthenticated and can be trivially forged?  A system like this has no
> > option but to work with unauthenticated data.
> 
> Why cannot the C-R system issue the challenge during the SMTP session
> (respond with a reject containing the challenge)?

Read SMTP 2821, and find out for yourself. Hint: SMTP is intended to be
noninteractive, while this thing tries to get confirmation from a human
being.

-- 
Wouter Verhelst
Debian GNU/Linux -- http://www.debian.org
Nederlandstalige Linux-documentatie -- http://nl.linux.org
"Stop breathing down my neck." "My breathing is merely a simulation."
"So is my neck, stop it anyway!"
  -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
Reply to: