Re: Disclaimer added post signing

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Tue, 11 Feb 2014 13:17:03 -0800 (PST)

On Tue, 11 Feb 2014, Benny Pedersen wrote:
> lets say body is not signed, we allow it to be 100% faked, would an
> attacker then be possible to make headers dkim pass ?

For example, if you sign the header only and not the body (i.e., "l=0"),
then you can re-use the header fields that were signed as many times you
want and with any content, and it will still pass until the key is changed
or removed.

-MSK
Received on Tue Feb 11 2014 - 21:17:27 PST

This archive was generated by hypermail 2.3.0 : Tue Feb 11 2014 - 21:27:01 PST