Steve Atkins wrote:
> On May 20, 2009, at 4:31 PM, Michael Thomas wrote:
>
>> Steve Atkins wrote:
>>> On May 20, 2009, at 3:57 PM, Michael Thomas wrote:
>>>> Steve Atkins wrote:
>>>>> Remember that we're considering the content of the message as
>>>>> displayed to the end user here,
>>>> No we're not. That has never been in the scope of the DKIM effort.
>>> Even if it weren't section 8.1 of the existing RFC, it's pretty
>>> obvious that a security issue that allows an attacker to create a
>>> validly signed email with their own content without access to the
>>> associated private key would be in scope for discussion.
>> They cannot alter the signed text.
>
> They can't alter the signed *bytes*. They *can* alter the signed text.
> That's the crux of the issue.
No they can't. At least not without invalidating the signature.
Crux dismissed.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
