[Mailman-Developers] Crypto-sign to post
stephen at xemacs.org
stephen at xemacs.org
Fri Nov 10 02:53:18 CET 2006
John W. Baxter writes:
> I think all traces of the signature need to be stripped after it is used for
> verification (but I could be wrong).
This should be an option or at least there should be an easy way to
work around it; suppose the message is something like a collection of
checksums for a distro, or a signed patch for projects that use such
things?
However, for general purposes I think that stripping the signature
would be a good idea. Specifically, I would imagine that even if you
sign "the whole message", this still leaves room for spammish use of
the preamble and trailer (or even the Subject header), while the
signed body of the message is used in a replay attack.
More information about the Mailman-Developers
mailing list