Wed, 11 Jun 1997 19:21:35 EDT
|
> Since these
> passwords are sent by clear-text e-mail you're just not going to be able
> to prevent administrators from finding out what they are. Maybe one day
> PEM will become widely available and the whole authentication scheme will
> change, but with plain text passwords sent over a medium that often
> bounces stuff to the postmaster (the postmaster being usually a bored
> student who figured this paid more than 7/11), you just have to accept
> that security is limited. This is why there are options to disable
> password usage and force the use of the "confirm" mechanism.
I'm not holding my breath waiting for PEM to become popular, but there
are two digital signature systems for email that it would be useful for
LISTSERV to support as alternatives to clear text passwords and the
fairly secure, but irritating and awkward, confirmation mechanism. One
is PGP and the other is S/MIME. A number of vendors are coming out
with implementations of S/MIME. Also, PGP will soon support automatic
querying of keyservers.
Speaking of the confirmation mechanism, it would be nice if, when
LISTSERV reached a command requiring confirmation, it simply held the
rest of the command stream until the confirmation is completed. Then
it could execute the rest of the commands knowing that the confirmation
was completed, without asking again. 1.8d's OK BEGIN will be a step in
the right direction, but it still requires the user to rememeber to do
something extra.
|
|
|