[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#170069: ITP: grunt -- Secure remote execution via UUCP or e-mail using GPG



John Goerzen wrote:
> After verifying the signature on the data, the receiver does some sanity
> checks.  One of the checks is doing an md5sum over the entire file
> (remember, this includes both the headers and the payload).  If it
> has seen the same md5sum in the last 60 days, it rejects the request.  If
> the date of the request was more than 30 days ago, it rejects the request.

Hold on, if you're md5summing the headers, what is to stop an attacker
from modifying the subject, and using an intercepted, gpg-signed body to
repeat the command?

-- 
see shy jo

Attachment: pgpj9iL2G1SeM.pgp
Description: PGP signature


Reply to: