I'm still not done with this, but since I'm already late
its probably worth sending these suggested changes out
now. Feel free to ignore or take 'em & sorry if they
overlap with recent list discussions.
And of course, these are just my comments as a vanilla
participant, not as chair or shepherd (that's Barry this
time btw).
I'll try get the rest of this reviewed in the next day
or two, so more apologies (this time in advance:-) for
those even later comments.
Stephen.
#1 Abstract
Suggest deleting "...and key server technology." DKIM doesn't really define
any new key server technology, so that's a bit misleading.
#2 Abstract
Suggest changing:
"This permits verification of a message source, an intermediary, or one of
their agents, as well as the integrity of its contents. "
to:
"This permits stonger authentication of a message's source, (or intermediary or
other signing agent), as well as providing the ability to check data integrity
for message headers and content."
#3 Abstract
Suggest changing:
"Such protection of email identity can assist in the global control of "spam"
and "phishing".
to:
"DKIM's authentication of email identity can assist in the global control
of "spam" and "phishing."
#4 Section 1, 2nd para: see #1 & #3 above.
#5 Section 1, 3rd para: While its correct that this doesn't try describe
much about how DKIM fits into more general anti-spam efforts, it'd be good
to provide a reference here to some such description. (I don't have one
to hand sorry.)
#6 Section 1.1, 1st para:
The first part of the 1st sentence seems like a tautology - who else could
create signatures other then someone who handles the message?
What does the "it" refer to in: "It can also be created by an independent
service that is providing assistance to a handler of the message." I don't
understand the sentence basically. I'd also suggest deleting the following two
sentences.
That'd mean changing:
" DKIM signatures can be created by a direct handler of a message, either as
its author or as an intermediary. It can also be created by an independent
service that is providing assistance to a handler of the message. Whoever does
the signing chooses the domain name to be used as the basis for later
assessments. Hence, the reputation associated with that domain name is an
additional basis for evaluating whether to trust the message for delivery. The
owner of the domain name being used for a DKIM signature is declaring that they
accept responsibility for the message and may thus be held accountable for it."
to:
" DKIM signatures can be created by any handler of a message, either its
author or an intermediary. In a typical use of DKIM, the owner of the domain
name being used for a DKIM signature is declaring that they accept
responsibility for the message and may thus be held accountable for it."
#7 Section 1.1, 3rd para:
Suggest chaning:
"DKIM's capabilities have a narrow scope."
to:
"DKIM has a narrow scope."
#8 Section 1.1, bullet list, 1st bullet:
Suggest changing:
"Does not offer any assertions about the behaviors of the identity
doing the signing."
to:
"Does not offer any assertions about the behaviors of the signer."
#9 Section 1.1, bullet list, last bullet
If the "To:" field (and others) were included in the signature
then some forms of replay could be detected. Maybe too hard to
explain here, so change the example to say that the same message
could be resent to the same recipients? (That's a "purer" replay
anyway since the message bytes don't change at all.)
#10 Section 1.2, 1st para:
s/an identity that used the//
s/the message content/existing message content/
s/via underlying Internet information mechanisms/via the network/
s/therefore/often/
s/viewed as often/often viewed as/
#11 Section 1.2, 2nd para:
s/four previous IETF efforts at standardizing/four previous IETF efforts
that standaradized/
#12 Section 1.2, bullet list. Isn't PGP a trademark? Suggest deleting
or acking (or whatever's right, I dunno).
#12 Section 1.2, 3rd last para:
Change:
"That said, DKIM uses security algorithm
components that have a long history, including use within some of
those other messaging security services."
to:
"That said, DKIM only uses cryptographic mechanisms
that have a long history, including use within some of
those other messaging security services."
#13 Section 1.2, 2nd last para:
s/Public Key Infrastructure (PKI)/public key management scheme/
s/relying on the key having a broader semantic implication
of the assertion, such as a quality assessment of the key's owner/
having the validity of the key attested to by a trusted third party/
#14 Secction 1.2, last para
s/DKIM's PKI/DKIM public key distribution/
s/the technical aspect of the//
#15 Section 2, 1st para:
2nd sentence reads oddly, maybe:
s/ Such misrepresentations may (but not necessarily) be employed in order to
perpetrate abuse/Such misrepresentations may be employed for legitimate reasons
or for nefarious reasons./
#16 Section 2, bullets:
s/Determine a verified identity, if possible/ Determine a verified identity as
taking responsibility for the message, if possible/
s/Determine whether a known identity is trusted/ Determine whether, and if so,
for what, a known identity is trusted/
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html