[Psi-devel] Re: Re: Re: Re: Remote Controlling Psi
Justin Karneges
justin-psi at affinix.com
Tue Jan 4 11:43:20 PST 2005
Are ad-hoc commands always a two-step process (fetch form, submit form) ?
If so, then all you need is for the command server to supply a random id in
the form. When the client submits the command request, just include the id.
This is how replay attacks are solved in all "live" protocols.
-Justin
On Tuesday 04 January 2005 10:42 am, Hal Rottenberg wrote:
> But the admin can't change the contents--that would invalidate the
> signature, for which he does not have the private key.
>
>
> On Tue, 4 Jan 2005 19:09:59 +0100, Remko Troncon
>
> <remko.troncon at cs.kuleuven.ac.be> wrote:
> > > That's the point with this though, isn't it? The server server is
> > > capable of getting the message through before the timestamp expires,
> > > which is what Remko meant by immediately (I think).
> >
> > Exactly ! What Jan proposed was indeed the safest transparent thing i
> > could come up with, but still not safe enough. Anyway, a last resort
> > solution would be to just let the client GPG encrypt the file before
> > sending it (wasn't this requested as a Psi feature anyway ;)); as an
> > extra threshold, you could sign the command, but it's not even necessary.
> >
> > cheers,
> > Remko
> > _______________________________________________
> > Psi-devel-affinix.com mailing list
> > Psi-devel-affinix.com at lists.affinix.com
> > http://lists.affinix.com/listinfo.cgi/psi-devel-affinix.com
More information about the Psi-devel-affinix.com
mailing list