DKIM and email address proof-of-control

MFPA 2014-667rhzu3dc-lists-groups at riseup.net
Mon Aug 1 11:49:48 CEST 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Monday 1 August 2016 at 6:31:15 AM, in
<mid:5596d79c-5257-4c40-1cba-08af9f870a34 at twopif.net>, Lachlan Gunn
wrote:


> Hello,

> Has anyone had a go at using DKIM signatures as a
> way of verifying
> control of an email address with GPG?
> I've seen a few mentions of the idea online,
> particularly here:

> https://security.stackexchange.com/questions/107417/pgp-key-signing-robot-dkim-verified-emails/

>
> https://github.com/keybase/keybase-issues/issues/373

[snipped]

> Some of the problems that I can see:

> 1. Is the assumption valid that (absent server or
> endpoint compromise)
> only a user authorised by the provider can get a
> DKIM signature on mail
> with a From address from that provider?

The links you provided point out that DKIM certifies only the domain
of the email address, not the user part. The From address in the email
header may not be the same as the MAIL FROM part of the SMTP dialogue.
It might be that the first is trusted at example.com while the second is
attacker at example.com. And both may differ from the credentials used to
sign into the SMTP server.



> 3. How do you protect against attacks involving
> reply-to?  Is the lack
> of a Re: in the subject line sufficiently convincing?

IMHO, no. What about:-

      reply numbering, such as "Re[2]:"?

      Non-english versions, such as "Aw:"?

      changed subject lines, for example to begin with a help ticket
      number or simply to make the subject match the content?



- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

My mind works like lightning... one brilliant flash and it's gone
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJXnxtFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwHWoH+wQHHdece6Q7eWz5jttIUeoR
H6VTG6zGUgHKxlWSSG36RPlwkVOyoAayvEf0EJtliJa7RqgxiLdvoYAUkDN9K8eU
2YTGMSru0Mn+4W4iSqp2F5jiYXseAO8+EF4rgMqvIlg/ysbRSwhVEPMVqW34RrYZ
ycMdLGWzxLe//obvi9Ddn++9eA/cRzpReIQUbdNkvA3iXSeTYjHZNTaU4DngdoJN
x8b4UlCBxbDj9tkWgHGipc75YXllmKlW+Y/9c2+xq4E6gpiblGcOcEt6hKvhSpC/
uVLKCxPy8B4QvSRUDSENVrv3b2m+sctL7dt7H0mdWSMLH172fgybk+Q1N7V93WOI
vgQBFgoAZgUCV58bW18UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45EcDAP97Ag7JxcmwQqOzXDXAe702jtP2
qeTh9oi4tMSdb0buvwD9HqUju3uUKYYAOVHZi97u3+axuiIRsbSw8Yt/8oWTWQU=
=YevK
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list