[ietf-dkim] Re: dkim service and mail lists
mike at mtcc.com
Wed Oct 19 14:43:18 PDT 2005
> On Wed, 19 Oct 2005, Michael Thomas wrote:
>>> The only way to have the length specifier not be a security
>>> vulnerability is to require all verifiers to strip all content that
>>> exceeds the length.
>> Which is to say that today (eg, pre-DKIM), any inbound MTA ought to
>> strip all content.
> I'm surprised to hear that from you. I thought it was well understood
> that we were talking about this only being done when signature is
> present (and has been verified) that includes length and that length
> does not match the actual message.
Er, um, oh bother. The point being that currrently mail is not signed
yet we somehow limp on without stripping "extra" content. There's
not much reason to believe that the transition to our future cannot still
allow for shades of gray for some period of time.
More information about the ietf-dkim