On 5/20/09 11:42 PM, Murray S. Kucherawy wrote: > Indeed, Outlook will opt to render an HTML part over a text part whenever > given the choice. Thus, if you sign only the text/plain portion of a > message and an attacker appends a text/html part, the unsigned HTML > version will be rendered even if completely different from the text/plain > part, and DKIM would give that a thumbs-up. >
The conditions anticipated by l= was the limited case where a mailing list would append bits of information, such that the rest of the signature could be retained. As John has pointed out, that is challenging because of all of the rewriting that goes on. So I think we need to back up and decide whether it's worth arguing over whether a behavior change in the base is something we want to encourage. I don't have an opinion on that at the moment. Eliot _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
