Is this new text for section 9.1 Misuse of Body Length Limits ("l=" Tag)?
Murray S. Kucherawy wrote:
INFORMATIVE IMPLEMENTATION NOTE: Using body length
limits enables an attack in which an attacker modifies a
message to include content that solely benefits the
attacker. It is possible for the appended content to
completely replace the original content in the end
recipient's eyes, such as via alterations to the MIME
structure or exploiting lax HTML parsing in the MUA,
and to defeat duplicate message detection algorithms.
To avoid this attack, signers should be wary of using
this tag, and verifiers might wish to ignore the tag,
{DKIM 2} perhaps based on other criteria.
I'm worried that without this, a neophyte won't see what the attack is.
I'm fine with the proposed simplification of 9.1, and I
think at least Dave and JD have +1'd it already as well.
Is that acceptable?
+1.
Small note if you are concern about "neophytes." There are sentences
where "l=" is referenced where it sounds like the tag is expected to
be there or needs to used. So maybe an addition sentence can be
appended to above:
Signers do not need to add the "l=" tag to the signature
if they are signing the entire body.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html