ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] ISSUE: tag l=2 and dealing with leading blank linesfor SIMPLE c14n.

2007-01-25 17:32:48

It is possible for software to detect mailing lists and perhaps use
l= on those messages, but not on others. It is even possible for
software to automatically detect its own signatures that break
because of trailers put on, and then start using l=. It could happen.
It's not a computationally infeasible problem.

Similarly, software could take messages coming from some hosts and
trim the dangling trailers on some messages, and not on others.

I also think that warnings about appropriate lengths is not only
unnecessary, but inappropriate. It's arrogant for the standard to
tell the implementer and the deployer how to do their job. Like all
rules of thumb, it can be carried to an absurd extreme, so I'm not
interested in hearing about the exception case.

I'm especially uninterested because DKIM is a system that when
misused, it hurts the signer and no one else. If I start signing
messages with l=2 and some spammer uses that, guess who's hurt? Me.

Bad actors will find signatures surviving as a result of the 'l=n'
parameter, can then add their malware which might be a very innocent
looking URI pointing to some provider's AUP.  This message can then be
sent in bulk anywhere.  The innocent URI may still cause an exploit to
occur, and recipients might have thought they were trusting you.  So who
is hurt?

Of course, the DKIM community will then need to explain to these end users
about this wonderful feature that allowed them to be completely confused.

-Doug


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>