[ietf-dkim] Features that could be reconsidered as part of the bis process
Eliot Lear
lear at cisco.com
Thu May 21 05:42:34 PDT 2009
On 5/20/09 11:42 PM, Murray S. Kucherawy wrote:
> Indeed, Outlook will opt to render an HTML part over a text part whenever
> given the choice. Thus, if you sign only the text/plain portion of a
> message and an attacker appends a text/html part, the unsigned HTML
> version will be rendered even if completely different from the text/plain
> part, and DKIM would give that a thumbs-up.
>
The conditions anticipated by l= was the limited case where a mailing
list would append bits of information, such that the rest of the
signature could be retained. As John has pointed out, that is
challenging because of all of the rewriting that goes on. So I think we
need to back up and decide whether it's worth arguing over whether a
behavior change in the base is something we want to encourage. I don't
have an opinion on that at the moment.
Eliot
More information about the ietf-dkim
mailing list