1996-07-14 - Re: Execution of signed scripts received by e-mail

Header Data

From: Matt Carpenter <mcarpent@Dusk.obscure.net>
To: markm@voicenet.com (Mark M.)
Message Hash: 1fff6cb39da4f9955d9ef160bad0538cab39615afc61988aa596d7369b66fcea
Message ID: <199607141037.FAA01283@Dusk.obscure.net>
Reply To: <Pine.LNX.3.94.960713180741.2563A-100000@gak>
UTC Datetime: 1996-07-14 14:03:59 UTC
Raw Date: Sun, 14 Jul 1996 22:03:59 +0800

Raw message

From: Matt Carpenter <mcarpent@Dusk.obscure.net>
Date: Sun, 14 Jul 1996 22:03:59 +0800
To: markm@voicenet.com (Mark M.)
Subject: Re: Execution of signed scripts received by e-mail
In-Reply-To: <Pine.LNX.3.94.960713180741.2563A-100000@gak>
Message-ID: <199607141037.FAA01283@Dusk.obscure.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Mark M. <markm@voicenet.com> writes:
> 
> On Sat, 13 Jul 1996, Steffen Zahn wrote:
> 
> > I suggest ignoring Reply-To: etc and requiring a return address inside
> > the signed region of the mail, otherwise someone could intercept the mail
> > (suppressing the original) and resend it from his account and the results
> > would get sent to the interceptor.
> 
> I agree.  Having a return address outside the signature allows for denial-o=
> f-
> service attacks and it would be trivial to intercept the output of the scri=
> pt.
> Definitely not a Good Thing.
> 
> >  Another idea would be to extract the return address from the PGP userid
> > which signed the script.
> 
> There are a couple of problems with this idea:
> 
> 	- The security of this scheme depends on trusting the user to sign her
> 	key.  If the user doesn't, than an attacker can intercept the user's
> 	key and alter the key ID.
> 
> 	- Even if the user does sign her key, there is still the problem of
> 	an attacker being able to generate a key with an identical key ID and
> 	and a different user ID.  If the attacker has the ability to intercept
> 	and modify messages, a MITM attack would be very effective.  If the
> 	key's fingerprint was included in the signed message, an MITM attack
> 	would be necessary to subvert the system.
> 
> If the key's fingerprint is included in the message, then it certainly woul=
> dn't
> take much more effort to put a return address in the signed body of the
> message.


Those are both very good ideas.  I'll have it require both the return
address and key fingerprint in the signed portion of the message.  

>
>-- Mark

Thanks for the suggestions.

- --Matt

- --
mcarpent@mailhost.tcs.tulane.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMejMPCjtJAMyBnp9AQFWhAf+PJkWptoICREg2a0Er6aHXPaNGzsERqad
dovSi5D8qByIzvr1ge0sjGxDAIaLXGjH4XMEAEjr+lZQI7jVa3f5wnGQRVneqbXB
sEI+Oh+3EnWut+hCAsr+PDIcRb1kLsp9v/rGhVxQkYhsLTJ55RDv5YYXVWxmB0ye
zfsuERnh6+V/q3FLs7UgAn7OjdpD3NiuFizUI4li4M03o3yT9dbecmkv0pvdeOV4
2GEHnX4WhZpmqviWHcqNkjmhcFN8hq0UHHm6oqVBW1qm/LjdHCHHZLaSHbwtIVHa
Bp39AxJfmTurwMosW3alxfWselCr6fUGBSQ7j9/REFAgt9aBxk4ISg==
=Ruc9
-----END PGP SIGNATURE-----





Thread