Address->Mail signing, multiple signatures
dwmw2 at infradead.org
Wed Feb 25 14:11:23 GMT 2004
On Wed, 2004-02-25 at 13:54 +0000, David Woodhouse wrote:
> On Tue, 2004-02-24 at 11:30 +0000, David Woodhouse wrote:
> > The proposal as it stands; as a straw man to be argued against...
> I'll expand on it a bit.
We could also add an 'Original-To:' header and sign that. We can't sign
the 'To:' header itself though because that _will_ get rewritten.
And we may want to include the Message-Id in _all_ the hashes we make,
to stop a potential attack making some kind of replay attack by mixing
up parts of signed headers with parts of signed body from _other_ mails.
More information about the sender-auth