Re: [ietf-dkim] Ticket 23 -- l= and Content-type

On 29/Apr/11 19:56, Dave CROCKER wrote:

As for the second part, with or without Content-Type, messing with the 
message 
in any interesting way will break the signature.

I'm not sure what you mean by "second part" and "interesting way".
The change to that security consideration section was meant to warn
against the attack that John mentioned, that is:

original:

  DKIM-Signature: d=example.com; h=From:From:Subject; l=17; ...
  From: user(_at_)example(_dot_)com
  Subject: unsigned Content-Type follows
  Content-Type: text/plain

  This is signed!

changed by attacker:

  DKIM-Signature: d=example.com; h=From:From:Subject; l=17; ...
  From: user(_at_)example(_dot_)com
  Subject: unsigned Content-Type follows
  Content-Type: multipart/mixed; boundary=boundary

  This is signed!
  --boundary
  Content-Type: text/plain

  Now this is the only visible part of the message,
  the (invisible) MIME preamble is still signed,
  the original signature is not broken.

  --boundary--

-- 
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:

[ietf-dkim] Ticket 23 -- l= and Content-type, Dave CROCKER

Next by Date:

Re: [ietf-dkim] Output requirements, Alessandro Vesely

Previous by Thread:

[ietf-dkim] Ticket 23 -- l= and Content-type, Dave CROCKER

Next by Thread:

Re: [ietf-dkim] Ticket 23 -- l= and Content-type, John R. Levine

Indexes:

[Date] [Thread] [Top] [All Lists]