Linus Nordberg linus@nordberg.se writes:
nisse@lysator.liu.se (Niels Möller) wrote 28 Sep 2004 09:16:35 +0200:
| resource bör nog innehålla avsändare och mottagare (från | smtp-kuvertet) och slumpmässigt salt (som bestäms av servern).
Behöver vi plocka isär resource igen, tro? I sådana fall behöver vi en separator mellan komponenterna. Inte ':'.
Some answers to related questions:
* The client must check that the resource string is constructed according to the rules, in order to avoid interleaving attacks.
* I think the most robust way to achieve that is to let the client construct the resource string independently. The server only sends the salt in the challenge message.
* I think it's good cryptographic practice to have the function that constructs the resource string from its inputs be collision free. I.e. there should not be two sets of input that results in the same resource string. The simplest ways to do that is to either use unique separator (if a suitable character exists), or add explicit length prefixes to each component.
| Datumet tror jag inte spelar så stor roll för oss. Men ska det | verkligen bara vara två siffror för årtalet?
Det är tydligen default. Man kan visst välja mellan 6, 10 och 12 med `-z'.
What does the ten-chracter format look like? 6-character dates is just too stupid for this millennium.
Skall epost-listan hållas på engelska tycker ni?
English makes some sense, even if at the moment you and I are the only two subscribers.
One other comment: I noticed that you refer to RFC 821 in the comments in your code. You should also look at the updated version, RFC 2821.
/Niels