Linus Nordberg <linus(a)nordberg.se> writes:
> nisse(a)lysator.liu.se (Niels Möller) wrote
> 28 Sep 2004 09:16:35 +0200:
>
> | resource bör nog innehålla avsändare och mottagare (från
> | smtp-kuvertet) och slumpmässigt salt (som bestäms av servern).
>
> Behöver vi plocka isär resource igen, tro? I sådana fall behöver vi en
> separator mellan komponenterna. Inte ':'.
Some answers to related questions:
* The client must check that the resource string is constructed
according to the rules, in order to avoid interleaving attacks.
* I think the most robust way to achieve that is to let the client
construct the resource string independently. The server only sends
the salt in the challenge message.
* I think it's good cryptographic practice to have the function that
constructs the resource string from its inputs be collision free.
I.e. there should not be two sets of input that results in the same
resource string. The simplest ways to do that is to either use
unique separator (if a suitable character exists), or add explicit
length prefixes to each component.
> | Datumet tror jag inte spelar så stor roll för oss. Men ska det
> | verkligen bara vara två siffror för årtalet?
>
> Det är tydligen default. Man kan visst välja mellan 6, 10 och 12 med
> `-z'.
What does the ten-chracter format look like? 6-character dates is just
too stupid for this millennium.
> Skall epost-listan hållas på engelska tycker ni?
English makes some sense, even if at the moment you and I are the only
two subscribers.
One other comment: I noticed that you refer to RFC 821 in the comments
in your code. You should also look at the updated version, RFC 2821.
/Niels
