ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Features that could be reconsidered as part of the bis process

2009-05-20 18:22:28
from [Murray S. Kucherawy] [Permanent Link] 
On Wed, 20 May 2009, Steve Atkins wrote:

Another use case is to use l= to sign a text part of an email, but not 
to sign an attachment. In that case I can obviously replace the 
attachment with my own content, but depending on the details of the 
email structure I may well be able to replace the text section as 
rendered to the user as well.


Indeed, Outlook will opt to render an HTML part over a text part whenever 
given the choice.  Thus, if you sign only the text/plain portion of a 
message and an attacker appends a text/html part, the unsigned HTML 
version will be rendered even if completely different from the text/plain 
part, and DKIM would give that a thumbs-up.
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Features that could be reconsidered as part of the bis process, Michael Thomas
Next by Date:  Re: [ietf-dkim] Features that could be reconsidered as part of the bis process, Steve Atkins
Previous by Thread:  Re: [ietf-dkim] Features that could be reconsidered as part of the bis process, SM
Next by Thread:  Re: [ietf-dkim] Features that could be reconsidered as part of the bis process, Michael Thomas
Indexes:  [Date] [Thread] [Top] [All Lists]