What about using l=0 in combination with
bodyhash=sha:w2iu2y32iur2iu3yriuy2r3== ?
This is consistent with current implementations while allowing people to
calculate the bodyhash separately. The only thing that a legacy application
looses is the ability to verify the message body.
This provides a very nice, clean solution to deployment of new C18N
algorithms as well provided that the header c18n is not affected.
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Jim Fenton
Sent: Tuesday, March 28, 2006 12:02 PM
To: Bill(_dot_)Oxley(_at_)cox(_dot_)com
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] mailing lists and -base
Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
Is signing the body at all an essential requirement? Yes, some
potential risk for a replay attack but otherwise "whoami I
sent this"
should be sufficient for some providers,
As long as people support the l= tag, they could use l=0 to
not sign the body. This capability has been cited as a
reason to get rid of l= because it facilitates such
"dangerous" behavior. IMO, if they want to sign such
messages, and recipients want to accept them, let them do that.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html