On Fri, 22 Nov 2002, Joey Hess wrote: > > After verifying the signature on the data, the receiver does some sanity > > checks. One of the checks is doing an md5sum over the entire file > > (remember, this includes both the headers and the payload). If it > > has seen the same md5sum in the last 60 days, it rejects the request. If > > the date of the request was more than 30 days ago, it rejects the request. > > Hold on, if you're md5summing the headers, what is to stop an attacker > from modifying the subject, and using an intercepted, gpg-signed body to > repeat the command?
PGP signatures have a signature ID and a date that are ment to be used to prevent against replay attacks. I forget the exact details but there is a gpg mode that prints it out. The db.debian.org gateways all make use of it. Jason
