On April 10, 2014 7:24:54 PM EDT, LuKreme <krem...@kreme.com> wrote: > >On 10 Apr 2014, at 17:01 , Viktor Dukhovni <postfix-us...@dukhovni.org> >wrote: > >> On Fri, Apr 11, 2014 at 12:57:54AM +0200, li...@rhsoft.net wrote: >> >>>> That said, I thought DKIM ignored everything after the signature >>>> delimiter, so if the lists attach the footer *properly* it >shouldn?t >>>> be an issue >> >> No, the DKIM spec makes no allowance for signature delimiters. If >> the body is modified beyond adding removing whitespace (with relaxed >> canonicalization) the DKIM check fails. > >That seems like a bug in the implementation of DKIM.
It was a deliberate design choice. The signature wouldn't mean much if adding arbitrary text to the message didn't invalidate the signature. It would open the protocol up to replay attacks. There is a virtually unused L tag to embed the length of signed content into the signature, but its use is strongly disrecommended. >>> the subject also don't matter in case of signed messages >>> it is a HEADER and headers are added at every hop >> >> DKIM also signs message headers. > >Certain headers, not all of them. Yes, but subject is generally signed (I don't recall seeing a case where it wasn't). Scott K