On October 17, 2005 at 19:50, "william(at)elan.net" wrote:
If 3rd-party signatures are allowed by policy record and mail list
does not add its own signature (which is going to be most for long
time), the same as above and email also has to be rejected.
As I have argued before, allowing 3rd-party signatures open you up
to general spoofing by malicious domains (as DKIM SSP is currently
defined).
5) When user has no 3rd-party signatures allowed in policy record and
recipient see that such email is different length (i.e. it came through
3rd party), I would argue that recipient can then reject such emails
(that is what policy says after all!) but optionally it can also still
decide to cut email to exactly what it originally was and let it through.
The only way to have the length specifier not be a security
vulnerability is to require all verifiers to strip all content that
exceeds the length.
Some of your scenarios provide wiggle room of when cutting is done,
allowing attackers to exploit such scenarios.
--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org