DKIM signature may not cover the entire body

mrisher / smtp-sts

SMTP Strict Transport Security

Apache License 2.0

35 stars 19 forks source link

DKIM signature may not cover the entire body #188

Open aykevl opened 7 years ago

aykevl commented 7 years ago

The DKIM signature may not cover the entire body (or any part of the body) using the l= parameter. Thus an email message with a valid DKIM signature could still be tampered with. I think the DKIM signature should cover the entire body, e.g. by disallowing the l= parameter or by requiring it to cover the entire attachment.

See RFC6376 section 8.2.

abrotman commented 7 years ago

Sure, we can add that.

aykevl commented 7 years ago

Looks like it's fixed. Thanks!

danmarg commented 6 years ago

Per https://etherpad.tools.ietf.org/p/notes-ietf-100-uta, Jim Fenton points out that constraining the use of l= seems like a bit of a layering violation. I'm somewhat inclined to agree. l= may be a bad idea, but it's not especially worse here, is it?