What about using l=0 in combination with bodyhash=sha:w2iu2y32iur2iu3yriuy2r3== ?
This is consistent with current implementations while allowing people to calculate the bodyhash separately. The only thing that a legacy application looses is the ability to verify the message body. This provides a very nice, clean solution to deployment of new C18N algorithms as well provided that the header c18n is not affected. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jim Fenton > Sent: Tuesday, March 28, 2006 12:02 PM > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: Re: [ietf-dkim] mailing lists and -base > > [EMAIL PROTECTED] wrote: > > Is signing the body at all an essential requirement? Yes, some > > potential risk for a replay attack but otherwise "whoami I > sent this" > > should be sufficient for some providers, > > > > > As long as people support the l= tag, they could use l=0 to > not sign the body. This capability has been cited as a > reason to get rid of l= because it facilitates such > "dangerous" behavior. IMO, if they want to sign such > messages, and recipients want to accept them, let them do that. > > -Jim > _______________________________________________ > NOTE WELL: This list operates according to > http://mipassoc.org/dkim/ietf-list-rules.html > >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
