DKIM and email address proof-of-control
2014-667rhzu3dc-lists-groups at riseup.net
Mon Aug 1 11:49:48 CEST 2016
-----BEGIN PGP SIGNED MESSAGE-----
On Monday 1 August 2016 at 6:31:15 AM, in
<mid:5596d79c-5257-4c40-1cba-08af9f870a34 at twopif.net>, Lachlan Gunn
> Has anyone had a go at using DKIM signatures as a
> way of verifying
> control of an email address with GPG?
> I've seen a few mentions of the idea online,
> particularly here:
> Some of the problems that I can see:
> 1. Is the assumption valid that (absent server or
> endpoint compromise)
> only a user authorised by the provider can get a
> DKIM signature on mail
> with a From address from that provider?
The links you provided point out that DKIM certifies only the domain
of the email address, not the user part. The From address in the email
header may not be the same as the MAIL FROM part of the SMTP dialogue.
It might be that the first is trusted at example.com while the second is
attacker at example.com. And both may differ from the credentials used to
sign into the SMTP server.
> 3. How do you protect against attacks involving
> reply-to? Is the lack
> of a Re: in the subject line sufficiently convincing?
IMHO, no. What about:-
reply numbering, such as "Re:"?
Non-english versions, such as "Aw:"?
changed subject lines, for example to begin with a help ticket
number or simply to make the subject match the content?
MFPA <mailto:2014-667rhzu3dc-lists-groups at riseup.net>
My mind works like lightning... one brilliant flash and it's gone
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users