Is this new text for section 9.1 Misuse of Body Length Limits ("l=" Tag)?
Murray S. Kucherawy wrote: > > INFORMATIVE IMPLEMENTATION NOTE: Using body length > limits enables an attack in which an attacker modifies a > message to include content that solely benefits the > attacker. It is possible for the appended content to > completely replace the original content in the end > recipient's eyes, such as via alterations to the MIME > structure or exploiting lax HTML parsing in the MUA, > and to defeat duplicate message detection algorithms. > To avoid this attack, signers should be wary of using > this tag, and verifiers might wish to ignore the tag, > {DKIM 2} perhaps based on other criteria. > > I'm worried that without this, a neophyte won't see what the attack is. > > I'm fine with the proposed simplification of 9.1, and I > think at least Dave and JD have +1'd it already as well. > > Is that acceptable? +1. Small note if you are concern about "neophytes." There are sentences where "l=" is referenced where it sounds like the tag is expected to be there or needs to used. So maybe an addition sentence can be appended to above: Signers do not need to add the "l=" tag to the signature if they are signing the entire body. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html