It's a slippery slope that I think we've already gone down far enough. I
think the current exhortations are sufficient.
Tony Hansen
tony(_at_)att(_dot_)com
Eric Allman wrote:
--On January 24, 2007 2:08:24 PM -0500 Hector Santos
<hsantos(_at_)santronics(_dot_)com> wrote:
At the very least, Eric should add a statement about omitting the
l= tag to avoid any signer concern about partial hashing body
limit replay exploits.
There are already several warnings in the draft about the dangers of
using "l=". We know that the point of "l=" is to allow appending of
trailers, as Charles pointed out. We also know that it creates a risk
of exploitation, and there are warnings about that in sections 3.5 and 8.1.
And frankly, I don't see why a leading <CRLF> is a special case. Adding
a special warning about "l=2" and <CRLF> just seems unnecessary, and
opens up a whole can of worms. Suppose the body begins with "--" (not
unlikely in a MIME message) --- should this be specifically mentioned as
well? If it begins with two <CRLF>s and has "l=4", it is essentially
the same case. Suppose it only signs to the end of the first MIME
separator? Suppose the message begins "Dear " and has "l=5", or
"<CRLF><CRLF>--On " and "l=9" (as this message does)?
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html