[Cryptography] How to prove Wikileaks' emails aren't altered

Jon Callas jon at callas.org
Wed Oct 26 15:39:38 EDT 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Here's a short opinion from one of the DKIM authors.

DKIM doesn't do what is claimed for verifying email athenticity. A DKIM signature is from the "administrative domain" which is not the same thing as the domain part of the sender. Virtual hosting, many other infrastructure things make it so that the administrative domain is neither one-to-one nor onto email domains in the general case.

It means that legitimate users of a given system can forge messages from some other user and they'll get a DKIM signature on them. Yeah, perhaps you can detect from headers and other things that the message was "forged" but perhaps you can't. I put scare quotes around forged because there are many situations where a user sends a message with some other name on it that are legitimate and in many cases this isn't a bug, it's a feature.

The DKIM signer simply stamps outgoing messages somewhere in the outgoing pipeline, it doesn't have user authenticity in it as anything other than guidance.

Moreover, the DKIM signing keys have to be sitting on some server that processes outgoing email.

This means that in a case where someone has hacked a system, if they have the email stores, they probably also have the DKIM signing key. If they have the DKIM signing key they can create whatever messages they want and sign them, with backdating and anything else they want.

If you're using DKIM signatures to verify a hacked mail store, you're (e.g.) assuming they have the user maildirs, but not the server config files.

Lastly, this property -- that DKIM doesn't provide author/message authenticity -- is a *GOAL* of DKIM. When we were making it, we were very concerned that the legitimate needs of spam fighting etc. would turn it into a tracking and surveillance system. DKIM is designed to make the connection between the DKIM signature and author authenticity tenuous at best.

Here's a short description of the DKIM use case: DKIM allows Gmail to know that a message for Alice from her bank was created by her bank, even when it is forwarded through her university alumni email address.

	Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.3.0 (Build 9060)
Charset: us-ascii

wsBVAwUBWBEGe/aTaG6hZJn9AQj8lgf+Ia9p4/qAswRHbXYaIluSbycJGnGFfyPS
Ikb2wbNsKv9Z519UsNds+4uxpGm6Y4I/I1LsWLKQJ7rSu1o67AJ+HUewwjsn9ta1
gSkJeVg9nMgGAncrfAueZvn98j4+gzOe6vhwtI8KHAk0JqjsVC2JSUCGoeRTTliK
h9wvp+B2b+oKhuxb9+beJ3mIiDWngNvwm6R0tVUZadjxX7KMLSKiPHTHBlaF/RNE
shBez3u7ZJGS0mV+o86TVfxuUi/aT6itB17bacqsbvhgzv8yCtbxf3wuYXjje8uW
UJ3ipYbnF3uSXMejDzjs4FtUJklar/1AdWcDUXgGDi9iXEbau4o3KA==
=Y1/r
-----END PGP SIGNATURE-----

More information about the cryptography mailing list