> It is possible for software to detect mailing lists and perhaps use > l= on those messages, but not on others. It is even possible for > software to automatically detect its own signatures that break > because of trailers put on, and then start using l=. It could happen. > It's not a computationally infeasible problem. > > Similarly, software could take messages coming from some hosts and > trim the dangling trailers on some messages, and not on others. > > I also think that warnings about appropriate lengths is not only > unnecessary, but inappropriate. It's arrogant for the standard to > tell the implementer and the deployer how to do their job. Like all > rules of thumb, it can be carried to an absurd extreme, so I'm not > interested in hearing about the exception case. > > I'm especially uninterested because DKIM is a system that when > misused, it hurts the signer and no one else. If I start signing > messages with l=2 and some spammer uses that, guess who's hurt? Me.
Bad actors will find signatures surviving as a result of the 'l=n' parameter, can then add their malware which might be a very innocent looking URI pointing to some provider's AUP. This message can then be sent in bulk anywhere. The innocent URI may still cause an exploit to occur, and recipients might have thought they were trusting you. So who is hurt? Of course, the DKIM community will then need to explain to these end users about this wonderful feature that allowed them to be completely confused. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
