ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Re: dkim service and mail lists

2005-10-19 14:55:21
from [Earl Hood] [Permanent Link] 
On October 19, 2005 at 14:43, Michael Thomas wrote:


Er, um, oh bother. The point being that currrently mail is not signed
yet we somehow limp on without stripping "extra" content.


But DKIM adds a new dynamic and semantics.

As has been argued (successfully) on these lists is that an attacker
can add contact that does not invalidate a DKIM signature but change
the rendered contents of the message to the recipient.

If the l= tag is used, it is not sufficient to just indicate
"pass".  If pass, all content after l= needs to be stripped, unless
MUAs know how to do DKIM verification directly and can render the
validated portion separately from the extra content.

--ewh
_______________________________________________
ietf-dkim mailing list
http://dkim.org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Re: dkim service and mail lists, william(at)elan.net
Next by Date:  Re: [ietf-dkim] Re: dkim service and mail lists, Earl Hood
Previous by Thread:  Re: [ietf-dkim] Re: dkim service and mail lists, william(at)elan.net
Next by Thread:  Re: [ietf-dkim] Re: dkim service and mail lists, Earl Hood
Indexes:  [Date] [Thread] [Top] [All Lists]