Re: Some security-related suggestions

John Gardiner Myers <jgm+@cmu.edu> Wed, 08 June 1994 21:13 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa07083; 8 Jun 94 17:13 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa07079; 8 Jun 94 17:13 EDT
Received: from ANDREW.CMU.EDU by CNRI.Reston.VA.US id aa15036; 8 Jun 94 17:13 EDT
Received: (from postman@localhost) by andrew.cmu.edu (8.6.7/8.6.6) id QAA14649; Wed, 8 Jun 1994 16:57:09 -0400
Received: via switchmail; Wed, 8 Jun 1994 16:57:08 -0400 (EDT)
Received: from hogtown.andrew.cmu.edu via qmail ID </afs/andrew.cmu.edu/service/mailqs/testq0/QF.UhxX1g600WBwA3NU43>; Wed, 8 Jun 1994 16:56:12 -0400 (EDT)
Received: from hogtown.andrew.cmu.edu via qmail ID </afs/andrew.cmu.edu/usr7/jm36/.Outgoing/QF.YhxX1Xq00WBw410EV=>; Wed, 8 Jun 1994 16:56:03 -0400 (EDT)
Received: from BatMail.robin.v2.14.CUILIB.3.45.SNAP.NOT.LINKED.hogtown.andrew.cmu.edu.sun4c.411 via MS.5.6.hogtown.andrew.cmu.edu.sun4c_411; Wed, 8 Jun 1994 16:56:01 -0400 (EDT)
Message-ID: <ghxX1V600WBwA10EIh@andrew.cmu.edu>
Date: Wed, 8 Jun 1994 16:56:01 -0400 (EDT)
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: John Gardiner Myers <jgm+@cmu.edu>
To: POP3 IETF Mailing List <ietf-pop3+@andrew.cmu.edu>
Subject: Re: Some security-related suggestions
In-Reply-To: <01HDAU9FMBC09KM0RO@SIGURD.INNOSOFT.COM>
References: <01HDAU9FMBC09KM0RO@SIGURD.INNOSOFT.COM>
Beak: Is

Ned Freed <NED@SIGURD.INNOSOFT.COM> writes:
>    "Providing an indication of the existence of an account in the absence of
>    a proper password lets attackers narrow the search to known accounts, and
>    thus represents an increased security risk." 

There are people who still believe this?  Attackers can narrow the
search to known accounts by examining the local-parts of addresses in
messages sent from the site.

These issues aren't mentioned at all in RFC 1510.  If the issues
aren't important enough to deal with in Kerberos, why should they be
addressed in POP?

-- 
_.John G. Myers		Internet: jgm+@CMU.EDU
			LoseNet:  ...!seismo!ihnp4!wiscvm.wisc.edu!give!up