[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#170069: ITP: grunt -- Secure remote execution via UUCP or e-mail using GPG

On Fri, Nov 22, 2002 at 12:24:34AM -0500, Joey Hess wrote:
> > After verifying the signature on the data, the receiver does some sanity
> > checks.  One of the checks is doing an md5sum over the entire file
                                                  ^^^^^^^^^^^^^^^^^^^^
> > (remember, this includes both the headers and the payload).  If it
> > has seen the same md5sum in the last 60 days, it rejects the request.  If
> > the date of the request was more than 30 days ago, it rejects the request.
> 
> Hold on, if you're md5summing the headers, what is to stop an attacker
> from modifying the subject, and using an intercepted, gpg-signed body to
> repeat the command?

It's an md5sum over the entire file.  The file includes both the headers and
the body.

-- John
Reply to: