I think that the question here is going to be how much we are going to
require nowsp verifiers to know about MIME.
If we need to break a few signatures here for edge cases like MIME
headers that overflow that would be OK with me.
We should get it right though.
-----Original Message-----
From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Thomas
Roessler
Sent: Wednesday, July 20, 2005 2:56 PM
To: Douglas Otis
Cc: Michael Thomas; IETF MASS WG
Subject: Re: nowsp considered harmful
On 2005-07-20 10:34:24 -0700, Douglas Otis wrote:
On Jul 20, 2005, at 8:37 AM, Michael Thomas wrote:
Thomas Roessler wrote:
Or one could insert an empty line in front of a
content-type header,
turning an HTML body part into a text/plain one. (Do that on a
large scale with a legitimate, DKIM-signed HTML message from some
large financial institution, and see how their helpdesk reacts to
it.)
Huh? This would break the signature. In any case, banks are poster
children for users who should use simple.
While I agree this technique would break the signature,
It wouldn't...
--foobar
Content-Type: text/html
<html>...
Turns into:
--foobar
Content-Type: text/html
<html>...
(I.e., we now have a Content-Type line in the body, and an
empty MIME header. That is, the MIME body part's type is, by default,
text/plain.)
Regards,
--
Thomas Roessler, W3C <tlr(_at_)w3(_dot_)org>