|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Section 4.1 Login Phase StartMatthew, > Either it is optional and the target should not ignore it (e.g. check the > name against the existing session), or it should not be sent at all. I couldn't agree more. A third position would be that it be required, AND checked. Frankly, I see little point in making it optional. If I'm an initiator, and it's optional, I'm not going to send it, because it's one less error condition (that I may have created) I have to specifically address in the response. If we believe there is an important and likely programming error (it doesn't detect a regular, operational condition, right?) vulnerability that is detected by checking the target name on following logins, we should require that they always be sent. Personally, I don't see such a vulnerability. This argues for requiring that target name NOT be sent on following logins. That is what I suggested, once upon a time. Whatever we chose, optional doesn't really seem like a useful position. Steph
Home Last updated: Tue Sep 04 01:04:33 2001 6315 messages in chronological order |