ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] ISSUE: tag l=2 and dealing with leading blank lines for SIMPLE c14n.

2007-01-24 19:38:48
from [Jim Fenton] [Permanent Link] 
Hector Santos wrote:

Jim Fenton wrote:
I don't think this accomplishes what you intended. If you're worried about an attacker exploiting a body-less message signed with l=2, the attacker could still start their message with a blank line. It then would be up to the verifier to treat this specially. Expecting the verifier to do something special with messages signed with l=2 is an unnecessary, and error-prone, rule.
If the signer wants to make sure that messages are not subject to "append attacks", they shouldn't use l=. Use the default. 

+1.
In lieu of a proposed KEY attribute "l=w|p", not defining the body limit with the DKIM-SIGNATURE: header l= tag, should be noted in the DKIM-BASE specs.
Otherwise, you are open to Body Limit Security Attacks. I'm sure every SIGNER would want to avoid any possible security exploit and not defining the body limit during the signing practice and if not defining the l= tag eliminates this exploit, then it should highlighted in the specification. 



_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] New IANA considerations: standards track or just RFC?, Jim Fenton
Next by Date:  Re: [ietf-dkim] ISSUE: tag l=2 and dealing with leading blank lines for SIMPLE c14n., Jim Fenton
Previous by Thread:  Re: [ietf-dkim] ISSUE: tag l=2 and dealing with leading blank lines for SIMPLE c14n., Hector Santos
Next by Thread:  Re: [ietf-dkim] ISSUE: tag l=2 and dealing with leading blank lines for SIMPLE c14n., Jim Fenton
Indexes:  [Date] [Thread] [Top] [All Lists]