ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] 23 again (sorry John) was Output summary - proposing ODID "Originating Domain Identity"

2011-05-05 16:00:48
If this is the sort of advice we are going to give then we should just
deprecate "l=".

+1: it was an error in the PS and the DS fixes it.

Alternatively we can allow it, warn, and expect implementers to code
heuristics that can discern attacks from regular footers.

Speaking as an implementer, I ignore l=, because the hassle of working
around it and trying to guess how hostile any added content might be is
vastly greater than any utility it has.  As I've often noted, there are
about a hundred ways that a mailing list can break a signature, and l=
deals (badly) with only one of them.

I agree, as a participant.  Nevertheless, we have consensus to leave
it in because of the stats Murray gave us on the usage (on the signing
side).

We certainly could deprecate it, and add something that says that
verifiers MAY consider a signature for which l= is less than the full
message length to fail verification.  Such a change should have been
proposed earlier in the process, but I won't consider it out of scope
if we have consensus to do that now.

And, of course, we can always add non-normative advice somewhere (but
I suggest NOT in 4871bis) that evaluation systems that use DKIM should
check l= against the message length when deciding what to do.

Barry, as chair

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>