[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Only accepting e-mail from known parties




	Dr Dimitri Vulis:

On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:

> Jonathan Blake <[email protected]> writes:
> > On Mon, 25 Dec 1995, Dr. Dimitri Vulis wrote:
> >
> I'll be delighted if someone convinces me that I'm wrong about this.
> I may even start using PGP signatures. :)

	When I get the bugs out of the procmail script I'm
	writing, to accomplish this, I'll send it to you.

> I said, Carol can *forge* the RFC 822 header, so her e-mails look like they
> came from Bob, and use the body from Bob's authentic PGP-signed message.

	Strip out everything that is not header information, and is
	not signed with pgp. You could even strip out all header
	information, except for who sent the message.  That you need,
	so you know who to respond to.  

> The e-mail is sent by Carol, but the RFC 822 header says "From: Bob".
> If you think this is hard to accomplish, take a look, e.g., at the source

	Forged signatures are not that difficult to accomplish.

> The PGP-signed portion is copied verbatim from an authentic message.

	This is a good point.  

	However, won['t most messages have the name of the intended
	recipient inside the PGP signature lines?

	Regardless, you've stated a weakness that I hadn't realized
	existed.  

> Alice _may_ notice that the _Received:_ headers are weird, but this
> forgery will certainly pass through a script that checks signatures.

	I'll have to give this some thought.  Have the script
	match the from id, with the message id.  << Not sure 
	how I can do this one, yet.  >>

> That's because PGP only signed a portion of the body, not the important
> headers like "Date:", "To:", "Subject:", and "Newsgroups:", nor the .sig.

	The Header won't be signed by PGP.  That part I will concede.
	The signature might be signed by PGP, depending on what one is
	using to read & respond to email with.  With SLMR can sign 
	signatures. << Granted, it is for DOS, and is geared towards 
	FidoNet conferences.  And I had to right a batch file to call 
	the editor, then the program to attach the signature, then 
	sign the thing.  But the signature was included in the signed 
	part of the pgp message.  >>

        xan

        jonathon
        [email protected]


****************************************************************
	
	Opinions represented are not necessarilly mine.

	OTOH, they are not representations of any organization 
	I am affiliated with, either.

	WebPage:	ftp://ftp.netcom.com/gr/graphology/home.html
	
          For a good prime, call 391581 * 2^216193 - 1

**********************************************************************