It appears that Wei Chuang  <wei...@google.com> said:
>-=-=-=-=-=-
>
>Hi DKIM folks,
>As many of you know there was a DKIM security vulnerability disclosure
>Friday around the signature header body length tag "l=". The blog post is
>here: https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/
>The authors state that an adversary can append a malicious footer to a
>message with DKIM w/body length, then rewrite the Content-type header mime
>delimitter, that will cause the apparent body to be that of the footer but
>will authenticate as the original DKIM signature. 

This exact attack is described on page 41 of RFC 6376:

   If the "l=" signature tag is in use (see Section 3.5), the Content-
   Type field is also a candidate for being included as it could be
   replaced in a way that causes completely different content to be
   rendered to the receiving user.

There really is nothing whatsoever new here.

I agree that it would be a good idea to discourage people from using
the l= tag but first I am trying to talk to the few places that send
me l= mail and see if I can figure out why they do it.

R's,
John

_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org

Reply via email to