innd and rejects of dates

Russ Allbery rra at stanford.edu
Mon Sep 27 20:38:18 UTC 2010


Thomas Hochstein <inn-workers at ml.th-h.de> writes:
> Russ Allbery schrieb:

>> But I agree that the real fix is to sign Injection-Date as well.  

> That wouldn't help against replaying of old control messages, as far
> as I see, as there wasn't anything like Injection-Date when they were
> sent.

You eventually have to require that Injection-Date is covered by the
signature in the processing software for the fix to be complete.  (The
pgpcontrol signing algorithm allows the signature to assert the absence of
a header.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <http://www.eyrie.org/~eagle/faqs/questions.html> explains why.



More information about the inn-workers mailing list