Michael Thomas wrote:
Ned Freed wrote:
------------------------------------------------
While the techniques specified by the DKIM working group will not
prevent fraud or spam, they will provide a tool for defense against
them by allowing receiving domains to detect spoofing of known domains.
The standards-track specifications will not mandate any particular
action by the receiving domain when spoofing is detected. That said,
with the understanding that guidance is necessary for implementers, the
threat summary should document a reasonable set of possible actions and
strategies, and analyze their likely effects on attacks and on normal
email delivery. The DKIM working group will not attempt to establish
requirements for trust relationships between domains or to specify
reputation or accreditation systems.
------------------------------------------------
This basically seems OK to me. I do question whether the threat analysis
document (which I guess we're calling the threat summary now) is the
right
place for this, however. And even if it ends up being the right place,
do we
really want to mandate the eventual location in the charter?
Right. This seems pretty clearly to me to be a BCP kind of
thing. Which I think may be a pretty good idea, but it seems
a bit of cart-before-horse to declare "best" and "common" before
there's even a "common", let alone "best".
My impression is that there's no requirement for a comprehensive
analysis (of possible actions following receipt) at this stage, but
more for something with just a bit more coverage than an existence
proof (that there's at least one set of actions that make sense).
So the "reasonable set of possible actions" isn't meant to be
a very onerous target, or at least that's how I interpret it.
At a later stage someone could think of making up a BCP, but
like you said, that's a good bit down the road.
Stephen.
_______________________________________________
ietf-dkim mailing list
http://dkim.org