Re: Disclaimer added post signing

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Benny Pedersen <me_at_junc.eu>
Date: Tue, 11 Feb 2014 22:28:52 +0100

On 2014-02-11 22:17, Murray S. Kucherawy wrote:
> On Tue, 11 Feb 2014, Benny Pedersen wrote:
>> lets say body is not signed, we allow it to be 100% faked, would an
>> attacker then be possible to make headers dkim pass ?
>
> For example, if you sign the header only and not the body (i.e.,
> "l=0"), then you can re-use the header fields that were signed as many
> times you want and with any content, and it will still pass until the
> key is changed or removed.

it will still not make spf pass, unless the faked email is sent from spf
pass ip, so if dmarc does not check spf it is possible, but if it does
it would be cought imho
Received on Tue Feb 11 2014 - 21:29:06 PST

This archive was generated by hypermail 2.3.0 : Tue Feb 11 2014 - 21:36:02 PST