Folks,
Here're the draft minutes from the BoF.
You can send corrections to me and/or the list as
necessary (keeping unnecesary list traffic down as
per previous request) anytime in the next week.
Regards,
Stephen.
64th DKIM BoF draft minutes
---------------------------
The DKIM BoF occurred on Monday Nov. 7th at 1pm, approximately 120 people
attended.
Excellent jabber log:
http://www.xmpp.org/ietf-logs/dkim(_at_)ietf(_dot_)xmpp(_dot_)org/2005-11-07.html
Meeting materials (scroll down to DKIM):
https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=64
Meeting audio:
http://limestone.uoregon.edu/ftp/pub/videolab/media/ietf64/ietf64-ch6-mon.mp3.1
Summary
-------
The BoF covered introductory stuff, a walkthrough of the draft charter (and
discussion theron), and presentations about the proposed WG deliverables.
During the discussion a range of opinions were expressed, ranging from concern
about the scoping and potential impact of DKIM some years down the road, all
the way to coments that the the barrier being placed here was far too high for
WG-formation. On the technical front, there were some concerns about the
sender signer policy proposal, which clearly needs work.
At the end of the BoF the chairs asked for a hum as to whether or not a wg with
the proposed charter should be chartered. The result was a fairly overwhelming
positive hum for WG-formation.
Actions:
1. Keith Moore took an action to try propose some charter text he'd find
more acceptable.
2. There was a proposal to include within some (possibly new) deliverable,
with postive guidance (as opposed to text complaining about lists
"breaking" things) about how DKIM and mailing lists might co-exist.
Stephen Farrell took an action to bring this proposal to the DKIM list.
3. The BoF chairs will work with the AD (Russ) to get the charter into the
state required for an IESG decision on wg-formation.
BoF Agenda
----------
1. Agenda & introduction (10,Farrell)
2. Walk through proposed charter (15,Leiba)
3. Discussion of proposed charter -- open (20,Leiba)
4. Walk through threat analysis -- Fenton (15)
5. Walk through base spec -- Allman (10)
6. Walk through policy spec -- Allman (10)
7. Introduce other deliverables (10, Farrell)
8. Open discussion of specs & deliverables -- open (20, Farrell)
9. Decision: should a WG be formed with this charter? (10, Farrell)
The presentations and audio are available for the above, so these minutes will
just cover items #3, #8 an #9.
Charter discussion
------------------
- Doug Otis says that he strongly approves of DKIM but has serious problems
with SSP and would like to see it out of scope. Barry Leiba responded that
one possible outcome of the WG would be that SSP is dropped, and on that basis
including SSP as in-scope is justifiable (since there are others who do want
it
in-scope).
- Doug also apologised for the way he'd written an "alternative" version of Jim
Fenton's threats document, but explained that he'd found it too hard to
suggest discrete changes in the time available.
- Keith Moore wondered whether we knew which problem DKIM was addressing and
suggested that perhaps if we charter DKIM we will miss the opportunity to
study this problem.
- Mike Thomas said that we've been studying the problem for 1.5 years already
and wondered when we'd get beyond that.
- Barry noted that one thing that was considered useful was the ability to
turn-up/down filters on the basis of whether the message was DKIM signed (or
not).
- Keith stated that if the group were trying to solve the phishing problem then
that'd be a great discussion to have, but he found the proposed charter to be
too vague and would prefer it were at a level where specific details could be
discussed. Barry suggested that Keith suggest some changes to the charter text
which would satisfy that concern. Keith agreed to take an action item to make
such a suggestion.
- Chris Newman suggested that the policy work proposed in SSP might be
considered as research, which is interesting research, but which can only
happen if there's a basis on which to do the research. That basis appears to
be
provided by the base DKIM specification.
Open discussion
---------------
- Doug Otis noted that the threats document doesn't properly address DoS issues.
Barry asked whether Doug's independent threats draft had text on that. Doug
said it did. Barry said that or some equivalent would be incorporated since
the
topic is definitely in scope for the document.
- Doug noted some additional problems he has with SSP. Barry encouraged Doug to
be active in the WG on this topic, but said that at this stage we are focused
on chartering, so the details of SSP are for the putative WG.
- Jim Schaad said that he had some problems deciding whether or not DKIM should
be chartered and noted that he had a problem understanding the proposed work
from reading the threats document, (but had figured it out from the base
specification). Jim asked for the threats document to include a short abstract
description of how DKIM would work. Stephen Farrell said that that was planned
for inclusion as the document becomes a WG draft.
- Sam Hartman stated that as an IESG member (but not the responsible AD), as
things stood at that point, he wouldn't like to see DKIM chartered, since
DKIM, if successful, would change how email is handled on the Internet over
the
next 10 years, and he'd rather that the community were happy with that before
the work started. Sam suggested that a BCP may be needed which codifies the
changes to the mail infrastructure which are caused by DKIM.
(*) Note; Subsequent to the meeting Sam clarified that he mainly meant
that
he wanted the community to get a chance to consider this before DKIM starts
-
he wasn't calling for the BCP to be written in advance.
- Keith Moore stated that he finds there's a lot of confusion about authorship
vs. transmission vs. origination for messages and he's getting different
messages from different DKIM proponents.
- Eliot Lear reminded the room that when MIME was started we hadn't intended
the outcome which may not be what we expect and that we shouldn't be setting
the bar so high that nothing gets done in an area.
- Malcom Cartier suggested that SSP be excluded from the scope as inappropriate
since it's placing responsibility for determining the truth onto the verifier
and the purpose of doing this is for the benefit of the domain owner. He said
that that wasn't an engineering issue but rather social and/or legal one.
- Dave Crocker said that the problem was the DKIM is a small discrete mechanism
for adding an identity to a message but the problem is that it scares the
&^*% out of us. Dave reiterated Eliot's comment about not setting the bar too
high.
- Keith stated that the problem was that DKIM didn't do anything useful, and
people want to solve spam, phishing etc, which DKIM doesn't do. Keith thinks
a lot of people think that DKIM does something close to useful which makes it
more likely to encourage confusion rather than a useful result. Barry asked
Keith whether there is utility in "I signed this, please whitelist me?". Keith
believes it is useful for authors to give domains a way to sign messages such
that recipients can verify.
- Responding to Eliot's remark, Keith recalled that the MIME work initially was
just addressing 8bit but the idea of attachments wasn't there. If by
chartering DKIM we could get a discussion going that would result in a real
solution then Keith would be all for that, but the problem is that we can't
get
a WG without a concrete solution and then we're stuck with that - DKIM is a
good starting point but we sould not constrain ourselves to that.
- Pete Resnick (not as an IAB member) said that DKIM doesn't purport anything.
DKIM is a mechanism. We should get away from trying to judge DKIM as to what
it would be useful for 20 years for now. If you can see that it is useful to
solve some small problem today, that's enough. That said, listening to Sam,
part of the problem is that DKIM once deployed, might require folks to use it,
so it is a potential disruption to the infrastructure. But we also need to
look
at the current disruption of the infrastructure and we need to measure those
two things and make a judgment as to whether things will be better or worse.
- Sam Hartman stated that SSP should be included if we charter. He agreed with
Pete: what he had been saying was that we need to commit to that potential
for change and document the change in the class of service that might result.
He was not saying that DKIM was bad.
- Russ Housley expressed a concern about having to do a BCP before chartering.
- Jim Fenton noted that there isn't anything in the DKIM specs. including SSP,
that mandates any bad behaviour. Maybe you know something about the signing
address, maybe you don't and we have a large body of unsigned messages, and
what the alleged sender would like you to do with those unsigned messages.
Stephen agreed that handling unsigned messages was hard and without something
like SSP it might be very hard.
- Harald Alvestrand said he hadn't read the drafts but has been listening to
the discussion and was trying to put himself in the shoes of someone who
brings work to the IETF who was less polite. If he was told that he was going
to have to have consensus on something that might or might not occur 10 years
out he would walk away. This discussion was about whether the IETF will be
allowed to contribute to this effort. The IETF may not have input if it
insists
on operating this way. [The audience applauded this contribution.]
- Jim Galvin noted that the document speaks in terms of how mailing lists break
signatures and DKIM which is an unfair characterization. Mailing list
managers are good actors. You just need to tell them what the right thing to
do
is. The BoF chairs agreed that this was in scope and presenting a positive
view
of what mailiing list managers could do was a good idea.
- Doug Otis agreed that the base spec provides a good mechanism but said SSP
does talk about good and bad behavior. The vast majority of people would not
want to be as restrictive as a bank, and so he thinks we want to figure out
how
to special case the bank and optimize for the general case. Barry encuraged
Doug to come to WG meetings and help us to sort that out.
- Keith, in response to Harald: it's really easy to say that DKIM is really
simple. Over the years we've seen lots of simple proposals that we thought
wouldn't have unintended consequences. Barry Leiba noted that we can consider
consequences in the WG, the point is that we don't have to do it before hand.
- Bill Somerfield had a similar comment to Jim Galvin. He thinks the charter
should specifically address mailing lists.
- Mark Delany would like to put a vote in for SSP in some form, perhaps not
necessarily the current form.
- Richard Shockey agreed with Harald: every possible protocol we develop could
have unintended consequences.
- Bernard Aboba noted that the biggest problem is unintended consequences
coming from things that are useful not things that are not useful.
Decisions
---------
Barry asked the room to hum if they wanted a WG formed as described in the
charter (assuming modifications to reflect the meeting). There was an
overwhelming hum for WG formation on that basis.
_______________________________________________
ietf-dkim mailing list
http://dkim.org