>> I don't think we actually understand all the ways that l= allows you to >> shoot yourself in the foot, so I would prefer not to give the impression >> that if people avoid a few cases we describe, they're safe. > > -1, I agree we don't know all the ways DKIM can be fooled. Neither we > actually saw real attacks in the wild. We don't even state how to > react to multiple Froms. Presumably, the wider the DKIM deployment, > the more we'll learn on handling attacks. However, hiding the few > things we know doesn't seem to be a good start toward such watchful > cooperative deployment.
The message should be don't use l= if you care about your signature. I don't think we yet have consensus to take out l= but it is quite clear that the problems it causes are far greater than whatever problems it might solve. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html