Re: why bodyhash if just an authentication mechanism

From: Ramprasad <ram_at_netcore.co.in>
Date: Sun, 18 Dec 2011 15:54:09 +0530

On 12/17/2011 9:55 PM, SM wrote:
> Hi Ram,
> At 05:33 17-12-2011, Ram wrote:
>> I had assumed that dkim was just a authentication mechanism for
>> verification that the sender domain ( or the signing domain ) has
>> been verified.
>> So this is just to prevent someone else forging my domain(s) and
>> sending mails
>> But now as I read the code the code also creates a bodyhash and
>> includes in the signature.
>>
>> So does a valid DKIM signature also mean that the content is not
>> tampered with ?
>
> I'll quote RFC 6376:
>
> "A DKIM signature associates the "d=" name with the computed hash of
> some or all of the message (see Section 3.7) in order to prevent the
> reuse of the signature with different messages. Verifying the
> signature asserts that the hashed content has not changed since it
> was signed and asserts nothing else about "protecting" the end-to-end
> integrity of the message."
>
> If your question is whether the valid DKIM signature means that the
> content is protected, the answer is no.
>
But why not ?
If the body hash did not verify then the content has been tampered with.

Conversely if it verifies why does it not mean that the body has not
been tampered with ?


> Regards,
> -sm
>
>
Received on Sun Dec 18 2011 - 10:24:23 PST