Steve Atkins wrote:
> On May 20, 2009, at 2:17 PM, Michael Thomas wrote:
>> Steve Atkins wrote:
>>> Why would you want to sign email as something you vouched for,
>>> while still enabling anyone to replace the content of the email
>>> with something else without invalidating that signature?
>> You can't replace it; you can only append to it.
> That's likely wrong, depending on the details of the l= usage.

   No I'm not.

> Firstly, one expressed use case for l= is "l=0" - in other words, don't
> sign any of the body. In that case I can put any body content in there
> I like, and it'll still be validly signed.

   That's still appending.

> Another use case is to use l= to sign a text part of an email, but not
> to sign an attachment. 

   That's still appending.

> Another use case is to set l= to the entire length of the email as sent.

   That's still appending.

   DKIM only talks about taking responsibility, and only for the parts that
   are signed. How an evaluator deals with the unsigned parts of a message
   is outside of the scope of DKIM.

 > (though the supposed benefit it offers is not clear)

   You forgot "to me".

NOTE WELL: This list operates according to

Reply via email to