Ryuichi wrote: ↑Mon Jan 08, 2024 7:41 am
lonza leggiera wrote: ↑Mon Jan 08, 2024 6:00 am
It's not nearly as easy as that to do it undetectably. If the .eml file contains a purported DKIM signature (and I've checked that Gmail doesn't strip them out when you ask it for the original source of an email), then that will contain the name of the domain supposedly responsible for adding the signature, and a selector for the record in which the domain's name server stores the public key needed to authenticate it. If you can successfully retrieve that public key and use it to authenticate the signature, then the only reasonably plausible explanation is that the email was sent from (or relayed by) that server at the time indicated by the DKIM time stamp, and that the
body of the email has not been altered from what it was when it was signed.
Happy to be edified.
Do we agree that if provided solely with the emails in .eml format, assuming that DKIM signatures are included, that verification would be an active step - a thing that would need to be actively done. That email readers do not necessarily perform this verification; though some do or can be configured to do.
And so, the presence of DKIM signatures in the .eml is not in itself verification of the emails.
Yes. Until you've actually performed the proper procedure for authenticating the signature then you have no compelling evidence for its authenticity. The mere presence of a DKIM signature in the .eml file doesn't provide any such compelling evidence.
For mine, "Did the current ArbCom verify the emails by comparing against the body hash and DKIM signature?" is an interesting question.
If not, is this something they should, would or could do?
Yes, it's an interesting question, and if there
are any DKIM signatures in the .eml files it's certainly something that they could easily do and, in my opinion,
should have done.
If so, is it something that would be best mentioned by ArbCom publicly?
It has apparently taken those emails as sufficiently compelling evidence of wrongdoing by various parties to warrant them being sanctioned. For any competent body to do such a thing, it should go without saying that they've carried out every reasonable precaution to ensure that those emails are genuine, so I wouldn't consider it necessary for them to acknowledge publicly that they've done so, although I can't see what harm it would do either.
I wonder if anyone will ask.
Ditto.
E voi, piuttosto che le nostre povere gabbane d'istrioni, le nostr' anime considerate. Perchè siam uomini di carne ed ossa, e di quest' orfano mondo, al pari di voi, spiriamo l'aere.