Only accepting e-mail from known parties
Dr. Dimitri Vulis
dlv at bwalk.dm.com
Mon Dec 25 05:26:56 PST 1995
owner-cypherpunks at toad.com writes:
> Eric Murray wrote:
>
> | Where we're headed is mail filters with PGP imbedded (PGP 3 will
> | make this much easier) that check incoming mail for a valid signature
> | for certain PGP keyid/fingerprints and pass that mail along.
> | Other mail that doesn't match gets tossed into a 'junk' folder
> | or thrown away if you really don't want to talk to anyone that you
> | don't already know.
>
> I agree with the assesment of where we may be going, but the
> technology is available now. (Marshall Rose uses it; if you want to
> get mail into his private mailbox, offer him some $ via imbedded FV
> authorizations in the mail, and it goes into his inbox. If he thinks
> it was worth his time, he doesn't charge you.)
>
> Anyway, the code is defeintely available now. The back end is a
> little kludgy, but it was needed for an auto ley retreival script.
> This could easily be hacked to include a +pubring=$people line. The
> script gives you a keyid, which you can then use to filter on, ie:
<shell script>
This is much better than nothing. This would stop the e-mail being
sent to everyone who's ever posted to Usenet. I see a couple of attacks:
1. Alice only accepts signed e-mail from Bob. Carol receives a signed e-mail
from Bob to Carol, sends 10,000 e-mails to Alice (via sendmail) with From: bob,
same body+signature, possibly varying message-ids and subjects.
2. Alice only accepts signed e-mail from Bob. Carol, a rogue sysadmin,
intercepts an e-mail from Bob to Alice, sends 10,000 more copies of it to Alice
(via sendmail) with From: bob, possibly varying message-ids and subjects.
As I keep pointing out, pgp-signing the body is not enough.
---
Dr. Dimitri Vulis
Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
More information about the cypherpunks-legacy
mailing list