From cb4531cb9cb22e8f3f2e4b555bd4e72005011833 Mon Sep 17 00:00:00 2001 From: Robert David Graham Date: Fri, 30 Oct 2020 05:41:21 -0400 Subject: [PATCH] Update README.md --- README.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8bbd121..0f3367a 100644 --- a/README.md +++ b/README.md @@ -89,8 +89,16 @@ an authenticated user of that account. The `Date:` field in the headers/metadata is included in the signature. DKIM verifies the contents of that field (that somebody didn't alter after signing), -but not that it's the correct date. -Since the signing key changed a year later, we know the date was before 2016. +but not that it's the correct date. Any fraudulent information can be put here. + +But the fraud would have to occur at the time the email was sent. And that time +would have be before October 2016, when GMail changed their DKIM signing keys. + +Thus, it's effectively timestamped "some time after January 2012 and before October 2016". + +In other words, we know it came from Vadym Pozharskyi, but he couldn't sent it +around a year later than the authenticated email headers claimed he sent it, like April 2016 +instead of April 2015. There are other timestamps in the email headers/metadata, but they aren't validated by DKIM, and hence, could be forged.