On Sat, 09 May 2009 21:08:33 +0100, Steve Atkins <[email protected]> wrote:
> i: Additional information about the identity of the user or agent > for which this message was signed > > This one is more controversial. It adds an awful lot of complexity and > confusion about the semantics of what a signature is and quite a few > people (myself included) would prefer it went away. But there are some > potential uses for it, and some are already invested in it, so it > seems unlikely we'd reach any consensus to drop it. At the moment, this tag plays no part in the protocol (except that it needs to be correctly signed). It has caused confusion, which our recent errate have sought to dispel. Now there is the opportunity to sit down and define some proper rules for its use, if we are so minded (e.g. in mailing lists). Essentially, it could be useful for signatures which are NOT by the Author Domain. > > l: Body length count > > This opens up a whole host of security issues, related to being able > to change the rendered content of the message entirely after signing > without breaking the signature. Removing it would remove a security > hole you can drive a bus through. Is it being used? Are there any > situations where it has proved useful? Signing the body is not essential for the primary purpose of DKIM, which is to expose phishers and the like. Malicious modification of a message _after_ is has been posted is relatively rare. So writing l=0 gives a way to sign the headers only (saving quite a bit of overhead if that is useful, plus removing all problems arising from changes of encoding and other mungings during transit. Moreover, there are too many agents arounf that insist on adding boilerplate to the end of messages (look what the mailing list expander for this list does, for example). Putting a proper l= value circumvents that problem (which is why it was out there in the first place). -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: [email protected] snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
