ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Lists "BCP" draft available

2010-06-01 02:46:05
from [Murray S. Kucherawy] [Permanent Link] 
Hi Eliot,

By ‘standards compliant’ there I actually mean ‘not non-compliant’, meaning 
there’s no basis on which to coerce MLMs to change their behavior.

I can change to the “RFC5322.From” notation if necessary.

The use of FBL in this context is in line with how the MARF working group is 
using it and also lines up with the discussion that got this whole recent 
effort started.  Is there some other definition I should be aware of?

I’ve extended 3.2 as you suggested.

For 4.1, I’ll need to go over it again, unless you (or someone else) has some 
suggestions.  I just looked at it and it seemed reasonable to me; it’s not hard 
for me to figure out which lists I’m on that are and aren’t MLM-aware.  This 
document might even encourage MLM operators to announce this to their users at 
subscription time so they can be appropriately informed.

For 5.1, I’ve changed it to “mail streams”, which is defined earlier in the 
document.

For 5.2 and 5.4, I’ve added some clarifying text.

Thanks for the thorough review!

-MSK

From: Eliot Lear [mailto:lear(_at_)cisco(_dot_)com]
Sent: Monday, May 17, 2010 4:36 AM
To: Murray S. Kucherawy
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Lists "BCP" draft available

Hi Murray,

Thanks for taking a shot at this.  Here are some comments on the Lists draft.

First, I support the draft becoming a working group document.

However, I wonder if it requires simplification with a bit more discussion as 
to motivation.  I'll get into some of that below.

Introduction 3rd and 4th bullets should use consistent terminology, so I 
suggest:

s/mailing list/MLM/

Section 1.2



   MLM behaviors are well-established and standards compliant.

I don't understand what you mean by standards compliant.

Same section lower down:


   However, the fact that the From

   field of such a message is typically the same as for the original

   message and that recipients perceive the message as "from" the

   original author rather than the MLM creates confusion about

   responsibility and autonomy for the re-posted message.

Isn't there standard terminology to distinguish between the From and from 
(e.g., SMTP-From)?

Section 1.3

FBL?  What a horrible misuse of an already common term.  Is there a cite for 
this or can we change it?

Section 3.1

I *love* the title of this section!!!

However- I believe we need to be careful to cite the source of these 
definitions, so as to avoid conflict should they change.

Section 3.2



 The remainder of this document operates on the presumption that a

   message going through a re-posting MLM actually comprises two message

   transactions

s/re-posting/resending/

?

I think, by the way, that 3.2 should probably be expanded with regard to the 
logic behind steps 1 and 2.  Seems to me that's the thing that will help 
mailing list maintainers understand why the solution is correct.

Section 4.1.

I'm uncomfortable with this section.  I don't know how an author is supposed to 
know whether an MLM is a participant or non-participant.  Moreover, 
discrimination at the enterprise level seems like a great opportunity for us 
vendors to sell more hardware without much customer benefit.

I would rather see this section simply say that messages originating from ADMDs 
that have strict ADSP polices are advised to not make use of either 
non-participating MLMs that corrupt signatures.

Section 5.1


Authors may be well-advised to create a DNS domain specifically used

   for generating signatures when sending traffic to MLMs

I think you have to be really clear on this point, because it can be read in 
one of several ways:

 *   Author domain should be used expressly to transmit to MLMs, in which case 
you should make it clear when this should be the case (e.g., you couldn't 
imagine an entire enterprise redoing their email infrastructure to such an end)
 *   The SIGNING domain and NOT the author domain should be used expressly to 
transmit to MLMs, in which case we have a problem I mentioned above;
 *   Something else
Section 5.2:



   In the case of verification of signatures on subscriptions, MLMs are

   advised to add an [AUTH-RESULTS] header field to indicate the

   signature(s) observed on the submission as it arrived at the MLM and

   what the outcome of the evaluation was.

What if any level of operational trust should be placed in such a header?


Section 5.4



   A DKIM-aware resending MLM is encouraged to sign the entire message

   as it arrived, especially including the original signatures.

Would I as an MLM want to resign a message that I received that itself was not 
signed?  Do I want to confer more authority to that message than is warranted?

Eliot

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  Re: [ietf-dkim] Lists "BCP" draft review, Murray S. Kucherawy
Next by Thread:  Re: [ietf-dkim] Lists "BCP" draft available, John R. Levine
Indexes:  [Date] [Thread] [Top] [All Lists]