From: "Jim Fenton" <[EMAIL PROTECTED]>
> There is no default list of signed headers in DKIM. This is intentional > because it removes an unnecessary degree of freedom that otherwise might > cause signatures to fail verification. So in other words, force signers to declare the header(s) in the h=. Ok, I can see that. IMO, this should be noted as a possible threat entry point to be researched because according to the draft spec, as it is written, only the h= tag is required. Code would to be ready to handle this. Finally, IMO, "visible headers" should be defined as this is the only near definitive statement an implementator has to go by in the spec. Thanks Jim. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ ietf-dkim mailing list http://dkim.org
