-----Original Message-----
From: jm(_at_)jmason(_dot_)org [mailto:jm(_at_)jmason(_dot_)org]
Sent: Wednesday, April 02, 2003 4:53 PM
To: Bob Atkinson
Cc: asrg(_at_)ietf(_dot_)org
[...]
The key, as I see it, is the use of a timestamp. Spammers who wish to
replay a valid token, will then have to intercept a message with such
a
token within a small window of time *after* the message was posted
(and
presumably archived on a public webpage for example).
It's reasonably trivial, modulo the usual date-stamp-decoding logic,
to compare the Date header's timestamp with the MAC's timestamp.
But won't the spammer simply forge the timestamps/Date headers in his
message so as to match the MAC's inputs (which he can do no matter how
long ago he stole the MAC)? I guess I don't see how you can thus
usefully compare the MAC with the Date header or other message contents,
but perhaps I'm just being slow at the end of the day.
You might perhaps be able to compare the MAC's timestamp with a window
around the actual time of receipt of the mail, say the instant of the
corresponding STMP RCPT command (or a suitable stand-in). But then the
legitimate guy in the first place is faced with the problem of
predicting exactly when this will occur, which is a times difficult to
do.
Still confused,
Bob
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg