Stephen Farrell wrote:
Jim Fenton wrote:
I question whether the threat summary/analysis document is the place
that this issue will get the proper attention by those contemplating
and implementing DKIM. I think the other places that have been
suggested (Security Considerations for one of the specifications, or
some sort of Implementers' Guide BCP) provide more visibility for
this, as I think it's an important point to make. Having issues be
visible in the right places is more important than whether we do it
early in the process, IMO.
I do agree, but it may be a price worth paying. In any case, if
the threat analysis contained an initial cut at this and some
later document did the job better, that'd be ok too, even if
sightly inefficient. As someone else implied, the threat analysis
won't be historically very interesting but is critical in terms
of getting the process done & so we produce a good result.
Do you think Hector's table is a good start? Seems to me like
it might be.
I really like Hector's table, and the terminology he has introduced to
make it easier to talk about the SSP policies. I think we still need to
talk through the specifics of the table once we get chartered, as there
will be some disagreement over the content of specific cells. For
example, I'm not convinced of the utility of the "weak" policy. But
that's good stuff to address once we get chartered.
However, as Hector says, "How a system reacts is implementation and
local policy based." I'm concerned that the specificity of the table
will lead people to think it's cast in stone. It's not. We need to be
careful about the way we frame it.
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org