[ietf-dkim] one more comment I forgot...
stephen.farrell at cs.tcd.ie
Thu Jan 12 05:33:55 PST 2006
Michael Thomas wrote:
> Stephen Farrell wrote:
>> Yes, but mucking up a signature is already covered in the
>> draft whereas totally ditching one isn't.
>> (Perhaps "forwarder" wasn't the right term - if not, mea
> From a threat perspective, the two are identical, right? If a
> receiver in any way treats broken signatures different than
> missing signatures, an attacker can exploit the preferable
> treatment trivially.
Hmm...I guess so. Though the base-01 currently says (end of
page 30) "Separate policies MAY be defined for unsigned
messages, messages with incorrect signatures, and when the
signature cannot be verified."
Signature deletion is worth maybe a quick mention in threats
but no more I'd say, unless someone figures out some scenario
where this has more impact.
More information about the ietf-dkim