Re: why bodyhash if just an authentication mechanism

From: SM <sm_at_resistor.net>
Date: Sat, 17 Dec 2011 08:25:39 -0800

Hi Ram,
At 05:33 17-12-2011, Ram wrote:
>I had assumed that dkim was just a authentication mechanism for
>verification that the sender domain ( or the signing domain ) has
>been verified.
>So this is just to prevent someone else forging my domain(s) and
>sending mails
>But now as I read the code the code also creates a bodyhash and
>includes in the signature.
>
>So does a valid DKIM signature also mean that the content is not
>tampered with ?

I'll quote RFC 6376:

   "A DKIM signature associates the "d=" name with the computed hash of
    some or all of the message (see Section 3.7) in order to prevent the
    reuse of the signature with different messages. Verifying the
    signature asserts that the hashed content has not changed since it
    was signed and asserts nothing else about "protecting" the end-to-end
    integrity of the message."

If your question is whether the valid DKIM signature means that the
content is protected, the answer is no.

Regards,
-sm
Received on Sat Dec 17 2011 - 16:27:34 PST