From: Eliot Lear [mailto:lear(_at_)cisco(_dot_)com]
Hallam-Baker, Phillip wrote:
What Russ is asking for is what I would describe as a problem
statement. What Steve Bellovin is asking for is a comprehensive
security analysis of the proposed solution. In the end we
clearly have
to deliver both, but Russ's concern is the one I would
expect an AD to
have because it goes to the question of what the charter
should look
like. Bellovin's request is something I would expect the WG
to answer.
While I am sure that Russ can speak for himself, I would like
to just add something I heard very clearly from him at the
beginning at the BoF. What he said, as I recall, was that
the first technology in this space that gets chartered will
raise the bar for all others. The question for the group was
whether DKIM should be that technology, and that was the
focus of the discussion.
Therefore, I interpret that as the threat analysis consisting
of a crisp problem statement and then some fairly detailed
analysis of how DKIM either solves the problem(s) or is a
necessary component to solving the problem(s).
I still cannot see how you get from one proposition to the other. The
question that was repeatedly asked at the BOF was 'will this spec do any
good'. It was raised by two ADs, three ex-ADs and a member of the IAB.
I would expect that a working group would be formed first if
it is demonstrated that the problem is important, second if
it is shown that the DKIM solution either solves the problem
or can provide a necessary component of solving the problem,
third that there does not exist a standard today that could
reasonably be adapted to provide the same function, and
fourth that of the proposed solutions in this space, DKIM is
the best one to go forward (for some value of "best").
The argument at the BOF was very clearly of the 'component' variety
rather than claiming to solve the problem.
If we argue for the value of DKIM as a component we have to describe the
relationship of that component to the other components we expect to be
used in conjunction with it.
I would further expect that development of answers to these
four would occur on the newly created dkim list, but now I'm
channeling Dave Crocker and there could be a parity error in
there somewhere (Dave can speak for himself).
I would spend time talking to Russ Housely, Sam Hartman, EKR et al
rather than attempting to channel someone.