Le 2016-08-02 à 23:35, MFPA a écrit : > But to bring it back > on-topic, would a DKIM signature on such a message be for the > gmail.com domain or the twopif.net domain?
It the key is from twopif.net, though obviously Google have the private key rather than myself. > Is this a Denial of Service attack, rather than an attempt to get > roboca to certify something it shouldn't? No, the idea is that you send an email to vic...@example.com and rob...@roboca.com and when the victim hits reply-to-all the response goes to the CA as well. If such an email is considered acceptable, then an attacker who can get hold of the email now has a proof-of-sending. > I thought the message-ID had to end in a fully qualified domain name. Yes, you would do something like <a-shortish-ecdsa-signature-of-some-parameter>@roboca.net. But thinking about it further, this would mean that you couldn't mandate a clean subject line (no Re: etc.) without user intervention. I guess I'll go ahead and start building, then we'll see how it looks in practice. Thanks, Lachlan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
