[standards-jig] Security problems with JEP-115
mass at akuma.org
Mon Sep 22 20:33:37 UTC 2003
Joe Hildebrand wrote:
>Why couldn't I just send a MD-5 that matches the bad info that I was about
>to give out? How is that any different than what we have now? It would
>have to be PKI-signed to get any added value out, and that raises an
>entirely different set of issues.
Your client does not send version, it sends a hash of a canonical list
of features (given by discovery). You cache hashes you have not seen
before mapping to the discovery (and for security reasons, you
regenerate the hash before adding the entry to your cache).
More information about the Standards