storing password lists in mails to myself on IMAP?

Robert J. Hansen rjh at sixdemonbag.org
Fri Feb 16 18:16:39 CET 2007


> Maybe you should think things through, or God forbid even run a
> few tests or something before puffing your chest there Robert.
> Especially when you're in the unenviable position of potentialy
> being your own proof of concept.

I don't know why you have such an allergy to being shown wrong.  Or  
why you think I do.

It works like this: if you can find me a commonly-used IMAP client  
that's this stupid, then I will welcome being shown wrong.  And  
really, why shouldn't I?  Being wrong isn't the end of the world.

But until you can show me an IMAP client in common use which is dumb  
enough to store sensitive and arbitrary data server-side, then I'm  
going to continue to say this is a nonissue and you shouldn't worry  
about it.

You can also assume the existence of MUAs which, when you encrypt  
data, will also send an unencrypted copy to a recipient.  This could  
be done while still being perfectly in accordance with the OpenPGP  
spec.  And yet, we're not worried about MUAs doing it.  Why?  Because  
it's so incredibly dumb that we're going to assume people are smarter  
than that.  The same logic applies here.

Once you show me a commonly-used IMAP client that's this stupid, I'll  
happily admit that yes, I was wrong, and some IMAP client authors are  
this stupid.  But until then, what's the use in fearmongering?





More information about the Gnupg-users mailing list