ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Ticket 23 -- l= and Content-type

2011-05-01 12:18:37

On 4/30/2011 11:43 PM, Murray S. Kucherawy wrote:
I'd like to leave in MIME and HTML exploits as examples if people agree that 
wouldn't be harmful, such as this updated text in 4.4.5:

                      <t>INFORMATIVE IMPLEMENTATION NOTE: Using body length
                         limits enables an attack in which an attacker 
modifies a
                         message to include content that solely benefits the
                         attacker. It is possible for the appended content to
                         completely replace the original content in the end
                         recipient's eyes, such as via alterations to the MIME
                         structure or exploiting lax HTML parsing in the MUA,
                         and to defeat duplicate message detection algorithms.
                         To avoid this attack, signers should be wary of using
                         this tag, and verifiers might wish to ignore the tag,
                         {DKIM 2} perhaps based on other criteria.</t>

I'm worried that without this, a neophyte won't see what the attack is.


+1

d/
-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html