ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Re: dkim service and mail lists

2005-10-19 14:47:14
from [Michael Thomas] [Permanent Link] 
william(at)elan.net wrote:



On Wed, 19 Oct 2005, Michael Thomas wrote:


The only way to have the length specifier not be a security
vulnerability is to require all verifiers to strip all content that
exceeds the length.
Which is to say that today (eg, pre-DKIM), any inbound MTA ought to strip all content. 
Correct?



I'm surprised to hear that from you. I thought it was well understood
that we were talking about this only being done when signature is
present (and has been verified) that includes length and that length
does not match the actual message.



Er, um, oh bother. The point being that currrently mail is not signed
yet we somehow limp on without stripping "extra" content. There's
not much reason to believe that the transition to our future cannot still
allow for shades of gray for some period of time.

      Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Re: dkim service and mail lists, william(at)elan.net
Next by Date:  Re: [ietf-dkim] over-the-wire (in)compatibility between pre-IETF DKIMand (eventual) IETF DKIM, william(at)elan.net
Previous by Thread:  Re: [ietf-dkim] Re: dkim service and mail lists, william(at)elan.net
Next by Thread:  Re: [ietf-dkim] Re: dkim service and mail lists, william(at)elan.net
Indexes:  [Date] [Thread] [Top] [All Lists]