From: "Jeff Hupp" <jhupp@novellnet.gensys.com>
Date: Mon, 25 Dec 1995 23:51:41 +0800
To: cypherpunks@toad.com
Subject: Re: Only accepting e-mail from known parties
Message-ID: <13060E503DA@Novellnet.Gensys.com>
MIME-Version: 1.0
Content-Type: text/plain


On 25 Dec 95 at 7:45, Dr. Dimitri Vulis wrote:

[much on a pgp based gateway filter for email]
: 
: This is much better than nothing. This would stop the e-mail being
: sent to everyone who's ever posted to Usenet. I see a couple of attacks:
: 
: 1. Alice only accepts signed e-mail from Bob. Carol receives a signed e-mail
: from Bob to Carol, sends 10,000 e-mails to Alice (via sendmail) with From: bob,
: same body+signature, possibly varying message-ids and subjects.
: 
: 2. Alice only accepts signed e-mail from Bob. Carol, a rogue sysadmin,
: intercepts an e-mail from Bob to Alice, sends 10,000 more copies of it to Alice
: (via sendmail) with From: bob, possibly varying message-ids and subjects.
: 
: As I keep pointing out, pgp-signing the body is not enough.
: 

	Keep checksums of signitures (or body text) for a week, duplicate 
messages are routed to /dev/null.

-- 
JHupp@gensys.com           |For PGP Public Key:
http://gensys.com          |finger jhupp@gensys.com
You are lost in a maze of twisty little standards, all
different.