[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#170069: ITP: grunt -- Secure remote execution via UUCP or e-mail using GPG

On Fri, 22 Nov 2002, Joey Hess wrote:

> > After verifying the signature on the data, the receiver does some sanity
> > checks.  One of the checks is doing an md5sum over the entire file
> > (remember, this includes both the headers and the payload).  If it
> > has seen the same md5sum in the last 60 days, it rejects the request.  If
> > the date of the request was more than 30 days ago, it rejects the request.
> 
> Hold on, if you're md5summing the headers, what is to stop an attacker
> from modifying the subject, and using an intercepted, gpg-signed body to
> repeat the command?

PGP signatures have a signature ID and a date that are ment to be used to
prevent against replay attacks. I forget the exact details but there is a
gpg mode that prints it out. The db.debian.org gateways all make use of
it. 

Jason
Reply to: