Hector Santos wrote:
From: "Jim Fenton" <fenton(_at_)cisco(_dot_)com>
There is no default list of signed headers in DKIM. This is intentional
because it removes an unnecessary degree of freedom that otherwise might
cause signatures to fail verification.
So in other words, force signers to declare the header(s) in the h=. Ok, I
can see that.
IMO, this should be noted as a possible threat entry point to be researched
because according to the draft spec, as it is written, only the h= tag is
required. Code would to be ready to handle this.
Finally, IMO, "visible headers" should be defined as this is the only near
definitive statement an implementator has to go by in the spec.
Even visible headers can sometimes cause trouble, as I found out on this
list, it removes the Cc lines and replaces it with the list-id.
[cue up Levine's _Mailing List Symphony of 1000_]
Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org