On 3/10/23 6:14 AM, Laura Atkins wrote:
On 9 Mar 2023, at 22:47, Michael Thomas <m...@mtcc.com> wrote:
On 3/7/23 4:09 AM, Laura Atkins wrote:
There is a current problem statement at
https://datatracker.ietf.org/doc/draft-chuang-dkim-replay-problem/.
Please take a moment to read through it and provide feedback. This
chair thinks we should not be providing solutions in the problem
statement. We should be primarily describing what the issue is and
why we think the issue is with the protocol. We will deal with
solutions in the actual document.
What about solutions that have been tried but have drawbacks or are
ineffective? It would be nice to know what the current baseline is.
In some respects that depends on what form the final document takes.
If we do decide that the underlying problem is something that can be
addressed with a protocol change, then we probably won’t mention
mitigation steps that have been tried and either have drawbacks or are
ineffective. If the outcome is a document that we looked at the
problem and decided that the issue isn’t with the protocol and we
recommend no protocol changes then I can see the work product being a
discussion of non-protocol solution space. That would include
different things folks have tried what works and what doesn’t work.
I'm speaking only of the problem statement draft. Listing off things
have already been tried or considered and rejected would shorten the
cycle when the next phase starts. And I thought that considering
solutions was out of scope, so considering protocol changes would be out
of scope too.
Also: I continue to be concerned about the hand wave-iness of the
problem. That is both from the standpoint of M3AAWG which is members
only and more importantly from various vendors who for their own
reasons have little or no desire to disclose pertinent pieces of
information in public. It's rather hard to "fix" a black box when you
don't even know what it's doing.
You made your concerns abundantly clear during the re-chartering
discussion. Given the IETF chose to recharter, the next steps are to
craft a problem statement that documents and explains a DKIM replay
attack in a way that’s accessible and understandable.
Do you have any questions, edits or specific wording related to better
explaining the problem for either of the drafts that are currently
under discussion?
I sent out a post with about 20 questions several weeks ago and got no
response.
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
