Douglas Otis wrote:
On Sep 9, 2005, at 8:44 AM, Jim Fenton wrote:
Presentation slides and interim minutes from the MASS (DKIM) BoF at
IETF 63 in Paris have been posted to the IETF website:
https://datatracker.ietf.org/public/proceeding_interim.cgi?
meeting_num=63
(search for "MASS")
(Doug Otis): Replay abuse is a problem; don't consider the spec as
written as sufficient. {Exclusion of reputation from the charter is a
problem; it needs more visibility.}
I do not recall my exact words, I am sure this was not what I said.
"The impact upon the domain's reputation has not received sufficient
consideration either." I have attempted to expand upon that issue
within the mass-reputation draft. This is _not_ related to
establishing reputation or accreditation services, as seemingly
understood. I have steadfastly said these services are a separate
issue, while protecting one's reputation is not.
Here is what was said, pretty much verbatim:
=====
(Doug Otis): This is Doug Otis. I tend to think that you're right that
replay is a feature; however, replay abuse is obviously a problem that
needs to be dealt with. I don't feel that the spec as it's written
today deals with that problem, and it was an issue raised also, I think,
in Russ's review. The exclusion of reputation from the charter makes me
wonder how we're going to elevate that to enough stature that it's dealt
with properly. And so, that becomes a concern I guess related to how
you go about chartering it, when you are ignoring, I think, a fairly
important aspect of what this can be used for. In terms of saying that
this is good for phishing I think that there is a lot of work to be done
in that area as well. I understand that there are already things on the
table to try to fix some problems that exist with respect to how you
would deal with a phishing attack. I could add several ideas in that
area, but there's also, when it comes to trying to protect the
reputation, which would be the spam issue, there are a lot of things
that need to be done there as well and they're not in the current drafts.
(Jim Fenton): Well, with respect to reputation and accreditation, I
don't think any of the people that are working on this -- let me state
it in a positive way -- I think all of the people that are working on
this feel that those are important issues. The question is whether they
should be done within this working group at this juncture, or whether
they might be taken up in parallel or perhaps as a revision to the charter.
(Doug Otis): I guess I should restate what I was saying. I am not
talking about how you would hook into a reputation system or hook into
accreditation; I think I'm quite willing to see that left open. But
what I'm talking about is how you can make this mechanism suitable for
such future use. That I don't see as a property of the current spec, or
the current draft.
=====
I may have over summarized a bit (or I wouldn't have gotten the minutes
done on time!) but I think I captured the gist of your first comment
properly. I did omit your clarifying comment after my response, so how
about if we add the following after my response in the minutes:
(Doug Otis): To clarify, this isn't about how to hook into reputation
and accreditation systems, but rather how to make the signature
mechanism suitable for such use.
OK?
-Jim
_______________________________________________
ietf-dkim mailing list
http://dkim.org