On 5/3/19 5:10 PM, Kevin A. McGrail wrote:
I guess if you lose control of your keys and/or your DNS is compromised, then yes, you have a DKIM issue.
This brings up a non-repudiation issue introduced by DKIM.How can you successfully refute a DKIM-Signature if someone has your signing keys.
My quick skim of parts of RFC 6376 makes me think that it is dangerous and discouraged to associate authentication based on DKIM-Signature, even when the d= SDID (?) matches the From: header.
Yet even more reason to reread RFC 6376 before replying to Bill's email.Presently I'm comfortable in thinking that DKIM-Signature validation meaning that the message has not changed in transit. I'm not (yet) comfortable drawing any conclusions about authentication.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature