Re: [exim] Proposal: $message_body_hash_sha1

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: exim-users
New-Topics: [exim] DKIM, Mailing-lists and signing lengths
Subject: Re: [exim] Proposal: $message_body_hash_sha1


--On 11 June 2010 22:37:09 -0700 Phil Pennock <exim-users@???>
wrote:

> On 2010-06-11 at 23:34 +0200, Heiko Schlittermann wrote:
>> Ian Eiloart <iane@???> (Fr 11 Jun 2010 18:25:45 CEST):
>> > >> Or is this something useful for other Exim users, too?
>> > >
>> > > Could be - in case we have to prove that we didn't change the message
>> > > after reception (the hash has to be signed, of course).
>> > So, why not use the DKIM features?
>>
>> Stupid question maybe: does the DKIM signature include the message body?
>> (I always thought, it's only a signature for selected header fields.)
>
> Yes, it includes the message body; otherwise a spammer could just
> include the headers from a valid message and a new body and pump out
> spam which verifies as coming from an identity that they do not actually
> have administrative control of.
>
> DKIM contains two ways of forming the message body, for signing
> purposes, and optionally lets you only sign the first 'l' bytes of the
> body. So you could theoretically use l=0 but at this time I can't
> conceive of a scenario where that would be wise.


It might allow the signature to survive the addition of a mailing list sig.

> RFC 4871
>
> -Phil




--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/