ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Ticket 23 -- l= and Content-type

2011-05-02 14:34:32
On May 1, 2011, at 10:15 AM, Dave CROCKER wrote:

On 4/30/2011 11:43 PM, Murray S. Kucherawy wrote:
I'd like to leave in MIME and HTML exploits as examples if people agree that 
wouldn't be harmful, such as this updated text in 4.4.5:

                     <t>INFORMATIVE IMPLEMENTATION NOTE: Using body length
                        limits enables an attack in which an attacker 
modifies a
                        message to include content that solely benefits the
                        attacker. It is possible for the appended content to
                        completely replace the original content in the end
                        recipient's eyes, such as via alterations to the MIME
                        structure or exploiting lax HTML parsing in the MUA,
                        and to defeat duplicate message detection algorithms.
                        To avoid this attack, signers should be wary of using
                        this tag, and verifiers might wish to ignore the tag,
                        {DKIM 2} perhaps based on other criteria.</t>

I'm worried that without this, a neophyte won't see what the attack is.

+1

+1

--
J.D. Falk
the leading purveyor of industry counter-rhetoric solutions


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html