On 8/26/20 10:54 AM, Dotzero wrote: > > > On Wed, Aug 26, 2020 at 1:32 PM Doug Foster > <fosterd=40bayviewphysicians....@dmarc.ietf.org > <mailto:40bayviewphysicians....@dmarc.ietf.org>> wrote: > > Are the weak signatures vulnerable to a replay attack? I > thought that one of the reasons that DKIM signatures included the > whole body was to prevent the signature from being reused. > > > > DF > > > Not particularly vulnerable. The requirement is that you have the > "weak signature" plus the intermediary full DKIM signature. This let's > the validator/receiver know that the originating domain knew that the > intermediary might break the originating domains DKIM signature but > the validator/receiver would have the DKIM signature of the > intermediary. The "weak signature" is only validated against that > specific message and headers it signed and that specific intermediary. > It's not a generic/general signature.
It sounds like the weak signature is just a regular DKIM signature plus the designation of the intermediary, and the "weak" part is that you don't check the body hash against the body. Have I got that right? -Jim
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
