Sorry, perhaps I was misunderstood.
I was concerned not about the theft of the secret (which I agree would
be analogous to S/MIME), but rather about the theft of a valid
porkhash/MAC from a header of a valid porkhashed message. Such stolen
MAC can seem to be reused (fraudulently) on a million other messages.
I'm probably missing something,
Bob
-----Original Message-----
From: william(_at_)elan(_dot_)net [mailto:william(_at_)elan(_dot_)net]
Sent: Wednesday, April 02, 2003 2:24 PM
To: Bob Atkinson
Cc: asrg(_at_)ietf(_dot_)org
Same as with S/MIME certs - if they got hold of your key, they can
pretent
to be you.
[...]
On Wed, 2 Apr 2003, Bob Atkinson wrote:
I see how this sort of approach can tie a particular timestamp and
sender_id / email address together in a MAC which can be validated,
but
I'm missing how the MAC gets coupled to a given message.
Was such a coupling intended?
If not, what's to prevent a spammer who gets his hands on one of these
(a valid one) from then using it to send a million messages of his own
(where of course he'll force all the other headers as necessary).
Confused,
Bob
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg