#1 Abstract
Suggest deleting "...and key server technology." DKIM doesn't really define
any new key server technology, so that's a bit misleading.
What is the previous example of serving keys via the DNS? If none, then what
makes using DNS not 'new'?
#2 Abstract
Suggest changing:
"This permits verification of a message source, an intermediary, or one of
their agents, as well as the integrity of its contents. "
to:
"This permits stonger authentication of a message's source, (or intermediary
or
other signing agent), as well as providing the ability to check data integrity
for message headers and content."
Stronger than what? Where are the weaker ones cited? And why is it necessary
or helpful to cast this as a comparative rather than a description of a
standalone capability?
#3 Abstract
Suggest changing:
"Such protection of email identity can assist in the global control of "spam"
and "phishing".
to:
"DKIM's authentication of email identity can assist in the global control
of "spam" and "phishing."
So the important change is from 'protection' to 'authentication'? While I
think
I can see some meaningful distinction here, can you elaborate on what problem
you see with the exising wording?
#4 Section 1, 2nd para: see #1 & #3 above.
#5 Section 1, 3rd para: While its correct that this doesn't try describe
much about how DKIM fits into more general anti-spam efforts, it'd be good
to provide a reference here to some such description. (I don't have one
to hand sorry.)
In theory it would certainly be helpful. In practice, I suspect our challenge
is to find a citation that is not, itself, controversial. I don't have one
either.
#6 Section 1.1, 1st para:
The first part of the 1st sentence seems like a tautology - who else could
create signatures other then someone who handles the message?
Having an association with Goodmail has been education, since it has taught me
that the world of 'third party' signatures can get pretty interesting.
They don't handle the message, yet they sign it.
What does the "it" refer to in: "It can also be created by an independent
service that is providing assistance to a handler of the message." I don't
understand the sentence basically. I'd also suggest deleting the following
two
sentences.
The reference is to the signature. And does my citing Goodmail explain the
nature of what the text is trying to refer to?
That'd mean changing:
" DKIM signatures can be created by a direct handler of a message, either as
its author or as an intermediary. It can also be created by an independent
service that is providing assistance to a handler of the message. Whoever
does
the signing chooses the domain name to be used as the basis for later
assessments. Hence, the reputation associated with that domain name is an
additional basis for evaluating whether to trust the message for delivery.
The
owner of the domain name being used for a DKIM signature is declaring that
they
accept responsibility for the message and may thus be held accountable for
it."
to:
" DKIM signatures can be created by any handler of a message, either its
author or an intermediary. In a typical use of DKIM, the owner of the domain
name being used for a DKIM signature is declaring that they accept
responsibility for the message and may thus be held accountable for it."
I hope that the Goodmail example explains why your suggested text is overly
restrictive.
#7 Section 1.1, 3rd para:
Suggest chaning:
"DKIM's capabilities have a narrow scope."
to:
"DKIM has a narrow scope."
#8 Section 1.1, bullet list, 1st bullet:
Suggest changing:
"Does not offer any assertions about the behaviors of the identity
doing the signing."
to:
"Does not offer any assertions about the behaviors of the signer."
That's a very attractive simplification, but as I think about it, I think that,
again, it is overly restrictive. To wit: An oursourced sending service signs
with the domain name of the content authoring organization. The signer is not
the one whose reputation is used for making assessments.
In this scenario, I believe your proposed text would be inaccurate.
#9 Section 1.1, bullet list, last bullet
If the "To:" field (and others) were included in the signature
then some forms of replay could be detected. Maybe too hard to
explain here, so change the example to say that the same message
could be resent to the same recipients? (That's a "purer" replay
anyway since the message bytes don't change at all.)
Not sure I understand how that would protect against replay.
#10 Section 1.2, 1st para:
s/an identity that used the//
s/the message content/existing message content/
s/via underlying Internet information mechanisms/via the network/
s/therefore/often/
s/viewed as often/often viewed as/
#11 Section 1.2, 2nd para:
s/four previous IETF efforts at standardizing/four previous IETF efforts
that standaradized/
#12 Section 1.2, bullet list. Isn't PGP a trademark? Suggest deleting
or acking (or whatever's right, I dunno).
oops. Good catch. Callas is careful to remind us to use OpenPGP, precisely
for
that reason.
#12 Section 1.2, 3rd last para:
Change:
"That said, DKIM uses security algorithm
components that have a long history, including use within some of
those other messaging security services."
to:
"That said, DKIM only uses cryptographic mechanisms
that have a long history, including use within some of
those other messaging security services."
Ok. And while I suspect that I see how the change improves the meaning, I'd
like to be a bit more educated about it. Would you explain what is the
important difference in the language?
#13 Section 1.2, 2nd last para:
s/Public Key Infrastructure (PKI)/public key management scheme/
When PKI got introduced into the text, it also gave me pause. By I thought the
use of it was valid. Can you clarify your concern, preference, etc.?
(I see that Wikipedia says that a Cert Authority is required, for use of the
term PKI, and DKIM most certainly does not have one of those.)
s/relying on the key having a broader semantic implication
of the assertion, such as a quality assessment of the key's owner/
having the validity of the key attested to by a trusted third party/
#14 Secction 1.2, last para
s/DKIM's PKI/DKIM public key distribution/
s/the technical aspect of the//
#15 Section 2, 1st para:
2nd sentence reads oddly, maybe:
s/ Such misrepresentations may (but not necessarily) be employed in order to
perpetrate abuse/Such misrepresentations may be employed for legitimate
reasons
or for nefarious reasons./
#16 Section 2, bullets:
s/Determine a verified identity, if possible/ Determine a verified identity as
taking responsibility for the message, if possible/
s/Determine whether a known identity is trusted/ Determine whether, and if so,
for what, a known identity is trusted/
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html