[Psi-devel] Re: Re: Re: Re: Remote Controlling Psi
justin-psi at affinix.com
Tue Jan 4 11:43:20 PST 2005
Are ad-hoc commands always a two-step process (fetch form, submit form) ?
If so, then all you need is for the command server to supply a random id in
the form. When the client submits the command request, just include the id.
This is how replay attacks are solved in all "live" protocols.
On Tuesday 04 January 2005 10:42 am, Hal Rottenberg wrote:
> But the admin can't change the contents--that would invalidate the
> signature, for which he does not have the private key.
> On Tue, 4 Jan 2005 19:09:59 +0100, Remko Troncon
> <remko.troncon at cs.kuleuven.ac.be> wrote:
> > > That's the point with this though, isn't it? The server server is
> > > capable of getting the message through before the timestamp expires,
> > > which is what Remko meant by immediately (I think).
> > Exactly ! What Jan proposed was indeed the safest transparent thing i
> > could come up with, but still not safe enough. Anyway, a last resort
> > solution would be to just let the client GPG encrypt the file before
> > sending it (wasn't this requested as a Psi feature anyway ;)); as an
> > extra threshold, you could sign the command, but it's not even necessary.
> > cheers,
> > Remko
> > _______________________________________________
> > Psi-devel-affinix.com mailing list
> > Psi-devel-affinix.com at lists.affinix.com
> > http://lists.affinix.com/listinfo.cgi/psi-devel-affinix.com
More information about the Psi-devel-affinix.com