On Sat, 13 Jul 1996, Steffen Zahn wrote:
I suggest ignoring Reply-To: etc and requiring a return address inside the signed region of the mail, otherwise someone could intercept the mail (suppressing the original) and resend it from his account and the results would get sent to the interceptor.
I agree. Having a return address outside the signature allows for denial-of- service attacks and it would be trivial to intercept the output of the script. Definitely not a Good Thing.
Another idea would be to extract the return address from the PGP userid which signed the script.
There are a couple of problems with this idea: - The security of this scheme depends on trusting the user to sign her key. If the user doesn't, than an attacker can intercept the user's key and alter the key ID. - Even if the user does sign her key, there is still the problem of an attacker being able to generate a key with an identical key ID and and a different user ID. If the attacker has the ability to intercept and modify messages, a MITM attack would be very effective. If the key's fingerprint was included in the signed message, an MITM attack would be necessary to subvert the system. If the key's fingerprint is included in the message, then it certainly wouldn't take much more effort to put a return address in the signed body of the message. -- Mark =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= markm@voicenet.com | finger -l for PGP key 0xe3bf2169 http://www.voicenet.com/~markm/ | d61734f2800486ae6f79bfeb70f95348 "Freedom is the freedom to say that two plus two make four. If that is granted, all else follows." --George Orwell, _1984_