On 12/2/2024 5:52 PM, Stephen Farrell wrote:
On 03/12/2024 00:40, Dave Crocker wrote:
I gave reasons for suggesting this is IRTF work.
In the message to which I was reacting you said:
* As provided, this is an extremely broad and extremely vague
statement of work. It continues to sound far more appropriate for
the IRTF than the IETF, especially absent a concete draft
specification to take as input.
I don't think broad+vague means research, even if extreme.
Steve,
Hmmm. The 'continues' was certainly an odd choice for use in a first
bullet. So much for my proofing of summary text, drawn from the detail.
As for that detail...
The 'continues' reference, was used because the draft has commentary
pointing to substantive unknowns.
So from the rest of my summary:
* Second bullet: "The draft seems to include a target of 'trust
relationships' which is an open research topic that DKIM only
indirectly relates to, except for trusting a signature."
* Third bullet: "IETF Internet Mail handling really only covers a
single posting/delivery sequence. It touches on more elaborate
sequences, but only piecemeal. And draft charter does not really
note or deal with this difference in scope. So the proffered
'holistic' effort is a very considerable increase in scope from
something labeled DKIMbis or DKIM2"
And later in my note:
*
"DKIM was designed to work from one posting to one delivery. It was
never intended to survive the vagaries of what can happen between a
delivery and a next posting. That it sometimes does survive is
nice, but was not a design goal.
So what is being sought here is a very basic and very substantial
increase in scope for DKIM."
* "DKIM does not attempt to distinguish 'legitimate' mail from mail
that is not legitimate." Yet the charter cites that as a goal.
* Reference to replay does not distinguish which kind is an issue, and
the only kind that has been discussed is from bad actors who are
authorized users of the abused domain. Hence the problem is,
really, internal to the services with a problem.
* There is reference to 'alteration by bad actors' yet to my knowledge
this has no history of discussion in the community and has not been
cited as a problem for DKIM.
* There is a vague reference to problems with error handling. Again,
what are they? I don't recall seeing a significant history of this
being a problem discussed in the email or anti-abuse community.
Further, the charter seems to confuse upgrade with replacement.
Replacing an installed base of SPF, DKIM, and DMARC usage is quite a bit
more difficult than starting fresh. Yet there is no indication that
that challenge has been factored in.
And then there is the charter text that seems to call for replacing not
just DKIM, but all of email:
To achieve its goals, this work requires a wide scope. The design
may supersede, modify, or replace many parts of the current email
infrastructure and associated reporting mechanisms - while
retaining the ability to support existing use-cases.
Oh. In parallel with existing /email/. You want to replace the
current Internet Mail infrastructure. Gosh...
Forgive me, but, again, this is something for the IRTF, not the IETF.
As I understand it, the proponents want to develop a new version of
DKIM, which should be a straight engineering task.
Absent specific goals and a reasonable sense of how to achieve them, how
can you class the effort as 'straight engineering'? Take the aggregate
of issues they cite, with the very long history of non-progress on most
of them, and I am at a lost to see how an expectation of 'straight' is apt.
I do agree that some of the written description is vague at present.
But I'd say that might well be fixed relatively quickly, either via
a draft that sets out more of the specifics, or via the inability to
produce such a thing, in which case the proposed WG wouldn't thrive,
but it wouldn't be the first time that happened.
The topics they touch on have been issues for years, with no proffered
solutions that have gained any traction. Again, take that history and
note the lack of detail in their current documentation, and there is no
basis for believing that anything is going to get 'fixed relatively
quickly', in spite of how excellent the proponents are.
Personally, I'd be confident enough in the proponents to be ok with
that draft being produced after a WG is formed, (followed by an
adoption discussion), but I can see that others might disagree with
that.
They have been meeting and discussing this topic for months. And yet
there is no technical detail so far.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
*** bluesky: @dcrocker.bsky.social ***
mast: @dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org