Re: Security Problems

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Previous message: Michael Elkins: "Re: Security Problems"
• Maybe in reply to: Terry Ritter: "Security Problems"

On Mar 4,  9:14am, Michael Elkins wrote:
} Subject: Re: Security Problems
}
} On Mar 3, Terry Ritter <ritter@io.com> wrote:
} >  1. Announcing in open headers that a message is in cipher is a
} >     serious security problem.  At certain times and places simply
} >     sending such a message could be a dangerous activity.
} > 
} >     The issue is whether a user who wishes to use ciphering should
} >     be forced to *announce* that fact [....]  The payload
} >     should simply be a block of uninterpreted data which the
} >     receiving user is expected to know how to use.
} 
} I understand the concern about this, but if it is not labeled as encrypted
} some how, a receiving agent won't be able to tell the difference between
} encrypted and non-encrypted data.

I don't think there's any reason to argue about this.  Nothing prevents
a user from encrypting an object outside the mail system and then sending 
the encrypted block as application/octet-stream, or as any other type.
If "the receiving user is expected to know how to use" the thing he gets,
then that knowledge has already been exchanged out of band, and there's
no reason to include the labeling in the message.

The standards are intended to apply in cases where the recipient needs
to be informed about what the data represents.  If you don't need the
functionality, don't use it.

-- 
Bart Schaefer                     Vice President, Technology, Z-Code Software
schaefer@z-code.com                  Division of NCD Software Corporation
http://www.well.com/www/barts

• Previous message: Michael Elkins: "Re: Security Problems"
• Maybe in reply to: Terry Ritter: "Security Problems"