ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Ticket 23 -- l= and Content-type

2011-05-01 09:20:31
I don't think we actually understand all the ways that l= allows you to
shoot yourself in the foot, so I would prefer not to give the impression
that if people avoid a few cases we describe, they're safe.

-1, I agree we don't know all the ways DKIM can be fooled.  Neither we
actually saw real attacks in the wild.  We don't even state how to
react to multiple Froms.  Presumably, the wider the DKIM deployment,
the more we'll learn on handling attacks.  However, hiding the few
things we know doesn't seem to be a good start toward such watchful
cooperative deployment.

The message should be don't use l= if you care about your signature.

I don't think we yet have consensus to take out l= but it is quite clear 
that the problems it causes are far greater than whatever problems it 
might solve.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html