Ned Freed wrote:
------------------------------------------------
While the techniques specified by the DKIM working group will not
prevent fraud or spam, they will provide a tool for defense against
them by allowing receiving domains to detect spoofing of known domains.
The standards-track specifications will not mandate any particular
action by the receiving domain when spoofing is detected. That said,
with the understanding that guidance is necessary for implementers, the
threat summary should document a reasonable set of possible actions and
strategies, and analyze their likely effects on attacks and on normal
email delivery. The DKIM working group will not attempt to establish
requirements for trust relationships between domains or to specify
reputation or accreditation systems.
------------------------------------------------
This basically seems OK to me. I do question whether the threat analysis
document (which I guess we're calling the threat summary now) is the right
place for this, however. And even if it ends up being the right place, do we
really want to mandate the eventual location in the charter?
Right. This seems pretty clearly to me to be a BCP kind of
thing. Which I think may be a pretty good idea, but it seems
a bit of cart-before-horse to declare "best" and "common" before
there's even a "common", let alone "best".
That said, in lieu of a BCP I'd rather this sort of guidance go
in the security considerations, or some other non-normative section
of -base or -ssp as it's obvious that I have to read those, and not
at all obvious that I should read the threat analysis.
Mike
_______________________________________________
ietf-dkim mailing list
http://dkim.org