On 12/2/2024 5:52 PM, Stephen Farrell wrote:

On 03/12/2024 00:40, Dave Crocker wrote:
I gave reasons for suggesting this is IRTF work.

In the message to which I was reacting you said:

 * As provided, this is an extremely broad and extremely vague
   statement of work.  It continues to sound far more appropriate for
   the IRTF than the IETF, especially absent a concete draft
   specification to take as input.

I don't think broad+vague means research, even if extreme.

Steve,

Hmmm.  The 'continues' was certainly an odd choice for use in a first bullet.  So much for my proofing of summary text, drawn from the detail.

As for that detail...

The 'continues' reference, was used because the draft has commentary pointing to substantive unknowns.

So from the rest of my summary:

 * Second bullet: "The draft seems to include a target of 'trust
   relationships' which is an open research topic that DKIM only
   indirectly relates to, except for trusting a signature."
 * Third bullet: "IETF Internet Mail handling really only covers a
   single posting/delivery sequence.  It touches on more elaborate
   sequences, but only piecemeal. And draft charter does not really
   note or deal with this difference in scope. So the proffered
   'holistic' effort is a very considerable increase in scope from
   something labeled DKIMbis or DKIM2"

And later in my note:

 *

   "DKIM was designed to work from one posting to one delivery. It was
   never intended to survive the vagaries of what can happen between a
   delivery and a next posting.  That it sometimes does survive is
   nice, but was not a design goal.

   So what is being sought here is a very basic and very substantial
   increase in scope for DKIM."

 * "DKIM does not attempt to distinguish 'legitimate' mail from mail
   that is not legitimate." Yet the charter cites that as a goal.
 * Reference to replay does not distinguish which kind is an issue, and
   the only kind that has been discussed is from bad actors who are
   authorized users of the abused domain.  Hence the problem is,
   really, internal to the services with a problem.
 * There is reference to 'alteration by bad actors' yet to my knowledge
   this has no history of discussion in the community and has not been
   cited as a problem for DKIM.
 * There is a vague reference to problems with error handling. Again,
   what are they?  I don't recall seeing a significant history of this
   being a problem discussed in the email or anti-abuse community.

Further, the charter seems to confuse upgrade with replacement. Replacing an installed base of SPF, DKIM, and DMARC usage is quite a bit more difficult than starting fresh.  Yet there is no indication that that challenge has been factored in.


And then there is the charter text that seems to call for replacing not just DKIM, but all of email:

    To achieve its goals, this work requires a wide scope. The design
    may supersede, modify, or replace many parts of the current email
    infrastructure and associated reporting mechanisms - while
    retaining the ability to support existing use-cases.

    Oh.  In parallel with existing /email/.  You want to replace the
    current Internet Mail infrastructure.  Gosh...

    Forgive me, but, again, this is something for the IRTF, not the IETF.


As I understand it, the proponents want to develop a new version of
DKIM, which should be a straight engineering task.

Absent specific goals and a reasonable sense of how to achieve them, how can you class the effort as 'straight engineering'? Take the aggregate of issues they cite, with the very long history of non-progress on most of them, and I am at a lost to see how an expectation of 'straight' is apt.


I do agree that some of the written description is vague at present.
But I'd say that might well be fixed relatively quickly, either via
a draft that sets out more of the specifics, or via the inability to
produce such a thing, in which case the proposed WG wouldn't thrive,
but it wouldn't be the first time that happened.

The topics they touch on have been issues for years, with no proffered solutions that have gained any traction.  Again, take that history and note the lack of detail in their current documentation, and there is no basis for believing that anything is going to get 'fixed relatively quickly', in spite of how excellent the proponents are.


Personally, I'd be confident enough in the proponents to be ok with
that draft being produced after a WG is formed, (followed by an
adoption discussion), but I can see that others might disagree with
that.

They have been meeting and discussing this topic for months.  And yet there is no technical detail so far.

d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
***  bluesky: @dcrocker.bsky.social  ***
mast: @dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org

Reply via email to