[ietf-dkim] ISSUE: tag l=2 and dealing with leading blank
lines for SIMPLE c14n.
Eric Allman
eric+dkim at sendmail.org
Thu Jan 25 14:34:59 PST 2007
--On January 24, 2007 2:08:24 PM -0500 Hector Santos
<hsantos at santronics.com> wrote:
> At the very least, Eric should add a statement about omitting the
> l= tag to avoid any signer concern about partial hashing body
> limit replay exploits.
There are already several warnings in the draft about the dangers of
using "l=". We know that the point of "l=" is to allow appending of
trailers, as Charles pointed out. We also know that it creates a
risk of exploitation, and there are warnings about that in sections
3.5 and 8.1.
And frankly, I don't see why a leading <CRLF> is a special case.
Adding a special warning about "l=2" and <CRLF> just seems
unnecessary, and opens up a whole can of worms. Suppose the body
begins with "--" (not unlikely in a MIME message) --- should this be
specifically mentioned as well? If it begins with two <CRLF>s and
has "l=4", it is essentially the same case. Suppose it only signs to
the end of the first MIME separator? Suppose the message begins
"Dear " and has "l=5", or "<CRLF><CRLF>--On " and "l=9" (as this
message does)?
eric
More information about the ietf-dkim
mailing list