Re: [ietf-dkim] Re: DKIM h= tag - Defauilt or required headers?

From: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>

There is no default list of signed headers in DKIM. This is intentional
because it removes an unnecessary degree of freedom that otherwise might
cause signatures to fail verification.


So in other words, force signers to declare the header(s) in the h=.  Ok, I
can see that.

IMO, this should be noted as a possible threat entry point to be researched
because according to the draft spec, as it is written, only the h= tag is
required.  Code would to be ready to handle this.

Finally, IMO, "visible headers" should be defined as this is the only near
definitive statement an implementator has to go by in the spec.

Thanks Jim.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com


_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

Re: [ietf-dkim] Re: DKIM h= tag - Defauilt or required headers?, Jim Fenton

Next by Date:

Re: [ietf-dkim] Re: DKIM h= tag - Defauilt or required headers?, Hector Santos

Previous by Thread:

Re: [ietf-dkim] Re: DKIM h= tag - Defauilt or required headers?, Jim Fenton

Next by Thread:

Re: [ietf-dkim] Re: DKIM h= tag - Defauilt or required headers?, Michael Thomas

Indexes:

[Date] [Thread] [Top] [All Lists]