Docs: add note on DKIM signing-limit security

author: Jeremy Harris <jgh146exb@wizmail.org> 2018-05-17 11:18:04 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2018-05-19 22:12:56 +0100
commit: caf6aa3b459c73c266d5c7caf66620afb733fbbb (patch)
tree: 005b17fb2b358b7ace6fe95d387511c47f33025d
parent: 805fd869d551c36d1d77ab2b292a7008d643ca79 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 44022291c..c4b3837da 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -39261,6 +39261,12 @@ strict enforcement should code the check explicitly.
 The number of signed body bytes. If zero ("0"), the body is unsigned. If no
 limit was set by the signer, "9999999999999" is returned. This makes sure
 that this variable always expands to an integer value.
+.new
+&*Note:*& The presence of the signature tag specifying a signing body length
+is one possible route to spoofing of valid DKIM signatures.
+A paranoid implementation might wish to regard signature where this variable
+shows less than the "no limit" return as being invalid.
+.wen
 
 .vitem &%$dkim_created%&
 UNIX timestamp reflecting the date and time when the signature was created.
author	Jeremy Harris <jgh146exb@wizmail.org>	2018-05-17 11:18:04 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2018-05-19 22:12:56 +0100
commit	caf6aa3b459c73c266d5c7caf66620afb733fbbb (patch)
tree	005b17fb2b358b7ace6fe95d387511c47f33025d
parent	805fd869d551c36d1d77ab2b292a7008d643ca79 (diff)