-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Monday 1 August 2016 at 6:31:15 AM, in <mid:5596d79c-5257-4c40-1cba-08af9f870...@twopif.net>, Lachlan Gunn wrote: > Hello, > Has anyone had a go at using DKIM signatures as a > way of verifying > control of an email address with GPG? > I've seen a few mentions of the idea online, > particularly here: > https://security.stackexchange.com/questions/107417/pgp-key-signing-robot-dkim-verified-emails/ > > https://github.com/keybase/keybase-issues/issues/373 [snipped] > Some of the problems that I can see: > 1. Is the assumption valid that (absent server or > endpoint compromise) > only a user authorised by the provider can get a > DKIM signature on mail > with a From address from that provider? The links you provided point out that DKIM certifies only the domain of the email address, not the user part. The From address in the email header may not be the same as the MAIL FROM part of the SMTP dialogue. It might be that the first is trus...@example.com while the second is attac...@example.com. And both may differ from the credentials used to sign into the SMTP server. > 3. How do you protect against attacks involving > reply-to? Is the lack > of a Re: in the subject line sufficiently convincing? IMHO, no. What about:- reply numbering, such as "Re[2]:"? Non-english versions, such as "Aw:"? changed subject lines, for example to begin with a help ticket number or simply to make the subject match the content? - -- Best regards MFPA <mailto:2014-667rhzu3dc-lists-gro...@riseup.net> My mind works like lightning... one brilliant flash and it's gone -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJXnxtFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwHWoH+wQHHdece6Q7eWz5jttIUeoR H6VTG6zGUgHKxlWSSG36RPlwkVOyoAayvEf0EJtliJa7RqgxiLdvoYAUkDN9K8eU 2YTGMSru0Mn+4W4iSqp2F5jiYXseAO8+EF4rgMqvIlg/ysbRSwhVEPMVqW34RrYZ ycMdLGWzxLe//obvi9Ddn++9eA/cRzpReIQUbdNkvA3iXSeTYjHZNTaU4DngdoJN x8b4UlCBxbDj9tkWgHGipc75YXllmKlW+Y/9c2+xq4E6gpiblGcOcEt6hKvhSpC/ uVLKCxPy8B4QvSRUDSENVrv3b2m+sctL7dt7H0mdWSMLH172fgybk+Q1N7V93WOI vgQBFgoAZgUCV58bW18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45EcDAP97Ag7JxcmwQqOzXDXAe702jtP2 qeTh9oi4tMSdb0buvwD9HqUju3uUKYYAOVHZi97u3+axuiIRsbSw8Yt/8oWTWQU= =YevK -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
