From: Murray S. K. <ms...@se...> - 2004-09-03 06:51:11
|
On Wed, 1 Sep 2004, Jim Fenton wrote: > You do point out a problem though: In such a case an attacker could > remove Cc from the h= list (and then add the Cc line) because the > DomainKey-Signature header itself isn't signed. That would break the verification though, since presumably the signer had the Cc: header present when the canonicalization was done. |