DKIM and email address proof-of-control
lachlan at twopif.net
Wed Aug 3 03:42:36 CEST 2016
Le 2016-08-02 à 23:35, MFPA a écrit :
> But to bring it back
> on-topic, would a DKIM signature on such a message be for the
> gmail.com domain or the twopif.net domain?
It the key is from twopif.net, though obviously Google have the private
key rather than myself.
> Is this a Denial of Service attack, rather than an attempt to get
> roboca to certify something it shouldn't?
No, the idea is that you send an email to victim at example.com and
roboca at roboca.com and when the victim hits reply-to-all the
response goes to the CA as well. If such an email is considered
acceptable, then an attacker who can get hold of the email now has a
> I thought the message-ID had to end in a fully qualified domain name.
Yes, you would do something like
<a-shortish-ecdsa-signature-of-some-parameter>@roboca.net. But thinking
about it further, this would mean that you couldn't mandate a clean
subject line (no Re: etc.) without user intervention.
I guess I'll go ahead and start building, then we'll see how it looks in
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users