I've read your mail twice now and I honestly cannot see
what's there that really needs to be addressed in terms
of potential changes to the charter.
Meanwhile, and for the n-th time: the whole of SSP is
"in-play" for the wg to address - and its been
explicitly acknowledged that the wg might conclude "SSP
considered harmful". Its true that a whole bunch of
the BoF participants would totally disagree with that
outcome, but that's for the wg to conclude, during
summer '06, according to the current schedule.
So, for now, any criticism you want to make is IMO much
better cast in terms of threats - described following the
template Jim just sent out. (Which is what I'd really
love to see as the target for our collective efforts
PS: I just cannot see how you can validly claim that
discussion of your issues is being "skipped over" - do
you want me to do the #mails x #lines arithmetic on
this topic for the last couple of months' postings:-)
PPS: Maybe if you know of someone else who shares your
concern you could ask them to present the issue, *as
it affects the charter*?
Douglas Otis wrote:
On Nov 15, 2005, at 2:55 PM, Stephen Farrell wrote:
Dave Crocker wrote:
5. At some point, the question becomes one of worrying about
> the DOS potential of your constantly posting lengthy notes
> that regurgitate the same points that continue to fail to
> gain support.
I have a tendency to delve too deeply, and I will attempt to curtail
this as best I can.
But, of course, that is just my own perspective.
(No Dave, I'm fairly sure that others share your perspective:-)
Doug, the charter as-is does have the required support to go
forward. There's nothing to be achieved by trying for the
changes you'd like at this stage. My bet is that those changes
just won't happen given the where the consensus lies.
You could be right, but let's not skip over a rather important
discussion. I have no desire to disrupt progress.
This issue has not been well explored, and indeed remains a topic that
exists mostly under the surface. Much of the SSP effort was done off
the mailing-list. Even rather startling changes related to multiple
From email-addresses were added before discussion on the
mailing-list. Indeed, these last minute changes were not reviewed at
the BoF. Anticipating email-address constraints resulting from
proposed changes _should_ be explored. The charter unfortunately seems
to have reached a conclusion that the email-address will be bound to
what is essentially the MTA to MTA transport. : (
When the From email-address is considered to be independent of the
signing-domain, then best practices would allow a mailing-list to add
their signature without other changes. MUAs and Mailing-list
applications could continue to function as expected. Rather than
discovering the IP addresses used by mailing-list servers as suggested,
their signature could be used instead. Accountability could be
retained at the signing-domain.
Should DKIM be expected to directly prevent the misuse of a From
email-address? There should be little doubt that email filters will
independently ascertain domains experiencing spoofing exploits and
offer the needed constraints which will include much more than just the
From email-address. Over time, DKIM aware MDAs/MUAs will make this
effort unneeded. However, when these likely inadequate From
email-address constraints are seen as the norm, then a major and
expensive transformation in the way email works will occur.
Seeing this as the issue, I wish to disagree with Dave about what is
being said within the charter.
1. The charter does not constrain email addresses.
The first two sentences of the charter:
| The Internet mail protocols and infrastructure allow mail sent
| from one domain to purport to be from another. While there are
| sometimes legitimate reasons for doing this, it has become a
| source of general confusion, as well as a mechanism for fraud
| and for distribution of spam (when done illegitimately, it's
| called "spoofing").
"sent from one domain to purport to be from another" refers to email-
This paragraph concludes with:
| ... and to publish "policy" information about how it applies those
| signatures. Taken together, these will assist receiving domains in
| detecting (or ruling out) certain forms of spoofing as it pertains
| to the signing domain.
Detecting a spoof of course _clearly_ refers to email-address
2. Dkim does not create or specify any inherent email address
Should DKIM be specifying email-address constraints and directly
detecting spoofed email-addresses? This is a critical decision with
far reaching ramifications. This effort would only change the nature
3. An IETF wg charter specifies near-term activities, not long term.
While indeed work would be near-term, goals should be appropriate long
ietf-dkim mailing list