[147464] in cryptography@c2.net mail archive
Re: [Cryptography] Why is emailing me my password?
daemon@ATHENA.MIT.EDU (Greg)
Wed Oct 2 11:07:14 2013
X-Original-To: cryptography@metzdowd.com
From: Greg <greg@kinostudios.com>
In-Reply-To: <524C3045.3070506@bluegap.ch>
Date: Wed, 2 Oct 2013 10:57:40 -0400
To: Markus Wanner <markus@bluegap.ch>
Cc: Nick <cryptography-list@njw.me.uk>, John Ioannidis <ji@tla.org>,
=?iso-8859-1?Q?Lodewijk_andr=E9_de_la_porte?= <l@odewijk.nl>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============1026196665137795373==
Content-Type: multipart/signed; boundary="Apple-Mail=_8C693D9A-C51B-458D-A570-6A8E8FA8C305"; protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_8C693D9A-C51B-458D-A570-6A8E8FA8C305
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
> Hm.. that's a nice idea, but I don't think it can work reliably. What =
if
> the send path changes in between? AFAIK there are legitimate reasons =
for
> that, like load balancers or weird greylisting setups.
You're right, I think I misunderstood you when you talked about a "one =
time password". I thought you were referring to something users would =
have to come up with.
If by "one time password" you mean a server-generated token, then yes, =
that would be far better.
That's standard practice for most mailing lists. The token is usually a =
unique challenge link sent back to the user, and they can either click =
on it or reply to the message while quoting the link in the body. =
Sometimes it's also a unique number in the subject line.
- Greg
--
Please do not email me anything that you are not comfortable also =
sharing with the NSA.
On Oct 2, 2013, at 10:40 AM, Markus Wanner <markus@bluegap.ch> wrote:
> On 10/02/2013 04:32 PM, Greg wrote:
>> I agree, I apologize for the excessively negative tone. I think RL =
(and
>> unrelated) agitation affected my writing and word choice. I've taken
>> steps to prevent that from happening again (via magic of =
self-censoring
>> software).
>=20
> Cool. :-)
>=20
>> I don't see why a one-time-password is necessary. Just check the =
headers
>> to verify that the send-path was the same as it was on the original =
request.
>=20
> Hm.. that's a nice idea, but I don't think it can work reliably. What =
if
> the send path changes in between? AFAIK there are legitimate reasons =
for
> that, like load balancers or weird greylisting setups.
>=20
> Plus: why should that part of the header be more trustworthy than any
> other part? Granted, at least the last IP is added by a trusted =
server.
> But doesn't that boil down to IP-based authentication?
>=20
> I'm not saying it's impossible, I just don't think it's as good as a
> one-time token. Do you know of a mailing list software implementing =
such
> a thing?
>=20
> Regards
>=20
> Markus Wanner
>=20
--Apple-Mail=_8C693D9A-C51B-458D-A570-6A8E8FA8C305
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCgAGBQJSTDRnAAoJEKFrDougX6Fk8OgH/3YdPB3pguMCBIYtE73qHtwi
ui9JglS50e//GDyYL72FdH9ARgGs03nnmoCjQt73HNgnjIU5nIZqWZxPjeJQtrzs
niy3VgGRhFfw5T2LOlyE1Lu728HfV5IalClfgj9uw2YnOPiM7Mb733J1U4Hs29st
KRJhEOWuji/rlnNROsnAQFNvLN3NQnslrvN4xb83ZYbXtnzLZs1cHGrJeph+pj/j
uJT42njMJRvF7CnGdWNeaoYGUi7XyP5WqkpJfO+1cz+s5zkYpbvCH2oWuuk+zIz2
x8pC0KtqtaMmkX8ZUmDkZkuVQNjF5QbbmvSr6tAOEPK8f0jXJX4lR0K+m4YzyKs=
=CCAP
-----END PGP SIGNATURE-----
--Apple-Mail=_8C693D9A-C51B-458D-A570-6A8E8FA8C305--
--===============1026196665137795373==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============1026196665137795373==--
