1. The fact that some folk know about these issues and that they were
talked about at some point in time and that there is an obscure record of
those discussions does not mean that these issues are well-documented or
well-understood broadly.
The guy who wrote the security screed appears to have made not even the
least attempt to see if these are known issues (google finds them pretty
fast.) I don't think I would want to take security advice from someone
like that.
I haven't bothered with a detailed critique of the paper.
Here you go:
1. You can add extra Subject and From headers!
2. There are changes that don't change the semantics of the message (much)
but break the signature!
The first was beaten to death by someone we both know at innumerable IETF,
M3AAWG, and other meetings. The other is mentioned in the spec.
We should strongly consider producing such a treatment, with a title
like "DKIM Pragmatics" or the like.
We could do that but I don't see any reason to think that the people who
haven't read any of the other good advice would read it.
R's,
John
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
