ietf-mailsig
[Top] [All Lists]

RE: nowsp considered harmful

2005-07-20 12:10:51

I think that the question here is going to be how much we are going to
require nowsp verifiers to know about MIME.

If we need to break a few signatures here for edge cases like MIME
headers that overflow that would be OK with me. 

We should get it right though.

-----Original Message-----
From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org 
[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Thomas 
Roessler
Sent: Wednesday, July 20, 2005 2:56 PM
To: Douglas Otis
Cc: Michael Thomas; IETF MASS WG
Subject: Re: nowsp considered harmful



On 2005-07-20 10:34:24 -0700, Douglas Otis wrote:

On Jul 20, 2005, at 8:37 AM, Michael Thomas wrote:
Thomas Roessler wrote:

Or one could insert an empty line in front of a 
content-type header, 
turning an HTML body part into a text/plain one.  (Do that on a 
large scale with a legitimate, DKIM-signed HTML message from some 
large financial institution, and see how their helpdesk reacts to
it.)


Huh? This would break the signature. In any case, banks are poster 
children for users who should use simple.

While I agree this technique would break the signature,

It wouldn't...

      --foobar
      Content-Type: text/html
      
      <html>...

Turns into:

      --foobar

      Content-Type: text/html
      <html>...

(I.e., we now have a Content-Type line in the body, and an 
empty MIME header.  That is, the MIME body part's type is, by default,
text/plain.)

Regards,
-- 
Thomas Roessler, W3C   <tlr(_at_)w3(_dot_)org>





<Prev in Thread] Current Thread [Next in Thread>