Using DCC with forwarding?

Vernon Schryver vjs@calcite.rhyolite.com
Wed May 22 05:12:30 UTC 2002


> From: "Mark Motley" <mark@motleynet.com>

> ...
> Oh, I see what you mean.  Again, I haven't played with the new per-user
> whitelists yet.  I assume that they only come into effect if the email
> is to that particular user (instead of globally as is the case with
> whiteclnt)?  If so, that's quite useful.

What's supposed to happen is that for each target, the checksums of
the message are first checked in the per-target whitelist.  If it does
not give an unabiguous black or white answer, the global list is checked.
The message is delivered or not to each target based on the individual
answers found by that process.  (Of course, there are optimizations
such as only checking the global list once.)


> ...
> In other words, user joe@xyz.com wants to deal with his whiltelists.
> Joe brings up the WWW system for that, but needs to supply his
> username/password.  That could be authenticated via IMAP just to make
> sure it's correct.

I don't understand that.  How do you use IMAP to provide HTTP
authentication?  I can see copying a IMAP password database to an
Apache "user" file, but that's not the same thing.

>                     Once that's done, everything else can be done via
> session cookie (or can be stored in a cookie using a one-way pad).
> ...

Why use cookies?  Why not use the normal HTTP authentication stuff?
For example, consider how https://www.rhyolite.com/anti-spam/dcc/private/
works.  See section 11.1 of RFC 1945 at some place like
http://www.ietf.org/rfc/rfc1945.txt
Why do some outfits such as http://freshmeat.net/ use ordinary cookies
instead of the HTTP authentication stuff?  I can't see how ordinary can
be more secure.  Since the authenticating token is stored in the 
browser's stable cookie storage (i.e. file), it seems strictly less secure.
Since it is wide open to anyone with access to the keyboard of a
browser that has ever logged in, it seems down right evil.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.