Is this new text for section 9.1 Misuse of Body Length Limits ("l=" Tag)?
Murray S. Kucherawy wrote:
>
> INFORMATIVE IMPLEMENTATION NOTE: Using body length
> limits enables an attack in which an attacker modifies a
> message to include content that solely benefits the
> attacker. It is possible for the appended content to
> completely replace the original content in the end
> recipient's eyes, such as via alterations to the MIME
> structure or exploiting lax HTML parsing in the MUA,
> and to defeat duplicate message detection algorithms.
> To avoid this attack, signers should be wary of using
> this tag, and verifiers might wish to ignore the tag,
> {DKIM 2} perhaps based on other criteria.
>
> I'm worried that without this, a neophyte won't see what the attack is.
>
> I'm fine with the proposed simplification of 9.1, and I
> think at least Dave and JD have +1'd it already as well.
>
> Is that acceptable?
+1.
Small note if you are concern about "neophytes." There are sentences
where "l=" is referenced where it sounds like the tag is expected to
be there or needs to used. So maybe an addition sentence can be
appended to above:
Signers do not need to add the "l=" tag to the signature
if they are signing the entire body.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
