Steve Atkins wrote:
On May 20, 2009, at 2:17 PM, Michael Thomas wrote:
Steve Atkins wrote:
Why would you want to sign email as something you vouched for,
while still enabling anyone to replace the content of the email
with something else without invalidating that signature?
You can't replace it; you can only append to it.
That's likely wrong, depending on the details of the l= usage.
No I'm not.
Firstly, one expressed use case for l= is "l=0" - in other words, don't
sign any of the body. In that case I can put any body content in there
I like, and it'll still be validly signed.
That's still appending.
Another use case is to use l= to sign a text part of an email, but not
to sign an attachment.
That's still appending.
Another use case is to set l= to the entire length of the email as sent.
That's still appending.
DKIM only talks about taking responsibility, and only for the parts that
are signed. How an evaluator deals with the unsigned parts of a message
is outside of the scope of DKIM.
(though the supposed benefit it offers is not clear)
You forgot "to me".
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html