From: Steffen Zahn <zahn@berlin.snafu.de>
Date: Sun, 14 Jul 1996 05:14:47 +0800
To: mcarpent@mailhost.tcs.tulane.edu
Subject: Re: Execution of signed scripts received by e-mail
In-Reply-To: <199607130841.DAA00240@Dusk.obscure.net>
Message-ID: <199607131624.SAA01131@zahn.berlin.snafu.de>
MIME-Version: 1.0
Content-Type: text/plain


    Matt> Get one input line at a time, and look for Reply-To: and
    Matt> From: headers to get a reply address.  As we are slurping up
    Matt> lines, watch for '-----BEGIN PGP' lines.  If it is for

I suggest ignoring Reply-To: etc and requiring a return address inside
the signed region of the mail, otherwise someone could intercept the mail
(suppressing the original) and resend it from his account and the results
would get sent to the interceptor.
 Another idea would be to extract the return address from the PGP userid
which signed the script.

Regards
  Steffen

-- 
work: Steffen.Zahn%robinie@emndev.siemens.co.at | home: zahn@berlin.snafu.de
      phone:+49-30-38624969                     |       phone:+49-30-4732126
Any opinions expressed herein are not necessarily those of my employer.
Use of my addresses for unsolicited commercial advertising is forbidden.