On 5/20/09 11:42 PM, Murray S. Kucherawy wrote:
Indeed, Outlook will opt to render an HTML part over a text part whenever
given the choice. Thus, if you sign only the text/plain portion of a
message and an attacker appends a text/html part, the unsigned HTML
version will be rendered even if completely different from the text/plain
part, and DKIM would give that a thumbs-up.
The conditions anticipated by l= was the limited case where a mailing
list would append bits of information, such that the rest of the
signature could be retained. As John has pointed out, that is
challenging because of all of the rewriting that goes on. So I think we
need to back up and decide whether it's worth arguing over whether a
behavior change in the base is something we want to encourage. I don't
have an opinion on that at the moment.
Eliot
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html