[standards-jig] Security problems with JEP-115

David Waite mass at akuma.org
Mon Sep 22 20:33:37 UTC 2003


Joe Hildebrand wrote:

>Why couldn't I just send a MD-5 that matches the bad info that I was about
>to give out?  How is that any different than what we have now?  It would
>have to be PKI-signed to get any added value out, and that raises an
>entirely different set of issues.
>  
>
Your client does not send version, it sends a hash of a canonical list 
of features (given by discovery). You cache hashes you have not seen 
before mapping to the discovery (and for security reasons, you 
regenerate the hash before adding the entry to your cache).

-David Waite




More information about the Standards mailing list