On Wed, 24 Jan 2007 18:01:48 -0000, Douglas Otis <dotis(_at_)mail-abuse(_dot_)org>
wrote:
On Jan 24, 2007, at 9:24 AM, Scott Kitterman wrote:
IIRC, every time someone brings up l= problems, the response is don't
use it.
Is there a problem it solves that we need it? If it's inherently risky
and
should not be used, I'm wondering if it should even be in the RFC?
This is a valid concern. Why allow something that can and most likely
will be abused?
It all depends on what the sender of the message is trying to achieve, and
on his level of paranoia. For the most obvious attacks (spoofing the
source of a message), body signing is not important (since most bad guys
do not have the ability to interfere with a message in transit), and the
ability to permit mailing lists to add stuff like:
_______________________________________________
NOTE WELL: This list operates according
tohttp://mipassoc.org/dkim/ietf-list-
rules.html
is more important. But if the sender is worried about possible Replay
Attacks, then he has to do a little more (possibly loosing the ability to
have the message pass smoothly through mailing lists).
But even there, there is a workaround. Simply include, as the last line of
the signed part of the message, something like:
WARNING! THIS IS THE END OF THE MESSAGE. ANYTHING BELOW THIS LINE WAS
ADDED IN TRANSIT.
------------------------------------------------------------------------------
If that looks a little alarmist, something more polite might do, such as a
conventional signature following the customary "-- CRLF" might be good
enough.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html