[lemonade] Re: Comments on draft-ietf-lemonade-urlauth-07.txt
Mark Crispin <MRC@CAC.Washington.EDU> Tue, 09 August 2005 22:22 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E2cUW-0001MQ-Cv; Tue, 09 Aug 2005 18:22:36 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E2cUU-0001LT-Fe; Tue, 09 Aug 2005 18:22:34 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA19216; Tue, 9 Aug 2005 18:22:31 -0400 (EDT)
Received: from mxout5.cac.washington.edu ([140.142.32.135]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E2d2S-0000my-Ia; Tue, 09 Aug 2005 18:57:41 -0400
Received: from smtp.washington.edu (smtp.washington.edu [140.142.33.9]) by mxout5.cac.washington.edu (8.13.4+UW05.04/8.13.4+UW05.05) with ESMTP id j79MMVCp005888 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 9 Aug 2005 15:22:31 -0700
X-Auth-Received: from Tomobiki-Cho.CAC.Washington.EDU (tomobiki-cho.cac.washington.edu [128.95.135.58]) (authenticated authid=mrc) by smtp.washington.edu (8.13.4+UW05.04/8.13.4+UW05.07) with ESMTP id j79MMVLu020720 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 9 Aug 2005 15:22:31 -0700
Date: Tue, 09 Aug 2005 15:22:30 -0700
From: Mark Crispin <MRC@CAC.Washington.EDU>
To: Randall Gellens <randy@qualcomm.com>
In-Reply-To: <p07000c0cbf1ed94319e8@[192.168.1.13]>
Message-ID: <Pine.WNT.4.64.0508091519060.1824@Tomobiki-Cho.CAC.Washington.EDU>
References: <p07000c03bf127ddcfd5c@[192.168.1.13]> <Pine.OSX.4.63.0508050254260.477@pangtzu.panda.com> <p07000c0cbf1ed94319e8@[192.168.1.13]>
Organization: Networks & Distributed Computing
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 93238566e09e6e262849b4f805833007
Cc: Lemonade <lemonade@ietf.org>, iesg@ietf.org
Subject: [lemonade] Re: Comments on draft-ietf-lemonade-urlauth-07.txt
X-BeenThere: lemonade@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Enhancements to Internet email to support diverse service enivronments <lemonade.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/lemonade>, <mailto:lemonade-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:lemonade@ietf.org>
List-Help: <mailto:lemonade-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/lemonade>, <mailto:lemonade-request@ietf.org?subject=subscribe>
Sender: lemonade-bounces@ietf.org
Errors-To: lemonade-bounces@ietf.org
On Tue, 9 Aug 2005, Randall Gellens wrote: > Likely I'm the one confused, but if user B captures a urlauth URL for user A, > and shares the same servers, then B can submit a new message using the same > urlauth URL, right? No; because the submit server is supposed to validate that the userid in a submit+<userid> is the userid used to log into the submit server. Since user B can't log in as user A to the submit server, that loophole is closed. Also, user B can't use that urlauth URL with the IMAP server directly, because user B isn't a submit server. > Also, if B can capture the message submission of A, then B can directly > capture data not referenced by a URL, and this is a threat regardless of the > use of urlauth or not. Correct. -- Mark -- http://staff.washington.edu/mrc Science does not emerge from voting, party politics, or public debate. Si vis pacem, para bellum. _______________________________________________ lemonade mailing list lemonade@ietf.org https://www1.ietf.org/mailman/listinfo/lemonade
- [lemonade] Comments on draft-ietf-lemonade-urlaut… Randall Gellens
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Mark Crispin
- RE: [lemonade] Re: Comments on draft-ietf-lemonad… Eric Burger
- RE: [lemonade] Re: Comments on draft-ietf-lemonad… Mark Crispin
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Randall Gellens
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Mark Crispin
- [lemonade] Re: Comments on draft-ietf-lemonade-ur… Randall Gellens