On Fri, Nov 22, 2002 at 12:24:34AM -0500, Joey Hess wrote:
> > After verifying the signature on the data, the receiver does some sanity
> > checks. One of the checks is doing an md5sum over the entire file
^^^^^^^^^^^^^^^^^^^^
> > (remember, this includes both the headers and the payload). If it
> > has seen the same md5sum in the last 60 days, it rejects the request. If
> > the date of the request was more than 30 days ago, it rejects the request.
>
> Hold on, if you're md5summing the headers, what is to stop an attacker
> from modifying the subject, and using an intercepted, gpg-signed body to
> repeat the command?
It's an md5sum over the entire file. The file includes both the headers and
the body.
-- John
