Re: Disclaimer added post signing

From: Murray S. Kucherawy <>
Date: Tue, 11 Feb 2014 13:17:03 -0800 (PST)

On Tue, 11 Feb 2014, Benny Pedersen wrote:
> lets say body is not signed, we allow it to be 100% faked, would an
> attacker then be possible to make headers dkim pass ?

For example, if you sign the header only and not the body (i.e., "l=0"),
then you can re-use the header fields that were signed as many times you
want and with any content, and it will still pass until the key is changed
or removed.

Received on Tue Feb 11 2014 - 21:17:27 PST

This archive was generated by hypermail 2.3.0 : Tue Feb 11 2014 - 21:27:01 PST