--On January 24, 2007 2:08:24 PM -0500 Hector Santos
<hsantos(_at_)santronics(_dot_)com> wrote:
At the very least, Eric should add a statement about omitting the
l= tag to avoid any signer concern about partial hashing body
limit replay exploits.
There are already several warnings in the draft about the dangers of
using "l=". We know that the point of "l=" is to allow appending of
trailers, as Charles pointed out. We also know that it creates a
risk of exploitation, and there are warnings about that in sections
3.5 and 8.1.
And frankly, I don't see why a leading <CRLF> is a special case.
Adding a special warning about "l=2" and <CRLF> just seems
unnecessary, and opens up a whole can of worms. Suppose the body
begins with "--" (not unlikely in a MIME message) --- should this be
specifically mentioned as well? If it begins with two <CRLF>s and
has "l=4", it is essentially the same case. Suppose it only signs to
the end of the first MIME separator? Suppose the message begins
"Dear " and has "l=5", or "<CRLF><CRLF>--On " and "l=9" (as this
message does)?
eric
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html