ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: <draft-ietf-dkim-rfc4871bis-12.txt> (DomainKeys Identified Mail (DKIM) Signatures) to Draft Standard

2011-06-22 23:43:47
from [Barry Leiba] [Permanent Link] 
To add chair support to Murray's comment:

On Wed, Jun 22, 2011 at 13:17, Murray S. Kucherawy 
<msk(_at_)cloudmark(_dot_)com> wrote:

-----Original Message-----
From: ietf-bounces(_at_)ietf(_dot_)org 
[mailto:ietf-bounces(_at_)ietf(_dot_)org] On Behalf Of Douglas Otis
Sent: Tuesday, June 21, 2011 6:51 PM
To: ietf(_at_)ietf(_dot_)org; Barry Leiba; 
iesg-secretary(_at_)ietf(_dot_)org; Sean Turner
Subject: Last Call: <draft-ietf-dkim-rfc4871bis-12.txt> (DomainKeys 
Identified Mail (DKIM) Signatures) to Draft Standard

[...]

This indicates the DKIM specification is seriously flawed.  While DKIM
may not offer author validation, it was intended to establish an
accountable domain for the signed message content that at a minimum
includes the From header field.  There are NO valid reasons for a valid
signature to include multiple From header fields!  Allowing multiple
From header fields is _EVIL_ and destroys DKIM's intended purpose as
defined by prior work.


This purported security flaw and surrounding FUD was discussed at huge length
in the working group, and consensus was clearly against the idea of dealing 
with
this in DKIM because it's the wrong place to address the problem.  The 
record, both
in the issues tracker and in the working group's archive, is quite clear 
about this,
and both are open to public scrutiny.


Indeed.  We gave this issue at least two clear consensus calls, and
it's very clear that the rough consensus considers the kind of
validation that Doug is asking for to be a good idea, but outside the
scope of the DKIM protocol.  That is, the validation ought to be done
in another part of the software system.  The document does actually
advise that, and that advice is all that working group consensus was
behind.  Consensus also is that Doug is severely overstating the
problem.

This has been decided and re-decided.


And I find the tactic of taking a lost battle from a working group to the 
IETF as
a whole to be akin to the "Mom said no, I'll go ask Dad!" strategy that I 
outgrew
by the time I was a teenager...


I, too, have a problem with how IETF last call is sometimes being used
by working group participants to rehash issues.  But that's a subject
for a separate conversation, and not for here.

Barry, DKIM working group chair
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Second Last Call: <draft-hammer-hostmeta-16.txt> (Web Host Metadata) to Proposed Standard -- feedback, Mark Nottingham
Next by Date:  Re: Last Call: <draft-ietf-dkim-rfc4871bis-12.txt> (DomainKeys Identified Mail (DKIM) Signatures) to Draft Standard, Doug Otis
Previous by Thread:  Re: Last Call: <draft-ietf-dkim-rfc4871bis-12.txt> (DomainKeys Identified Mail (DKIM) Signatures) to Draft Standard, Scott Kitterman
Next by Thread:  Re: Last Call: <draft-ietf-dkim-rfc4871bis-12.txt> (DomainKeys Identified Mail (DKIM) Signatures) to Draft Standard, Dave CROCKER
Indexes:  [Date] [Thread] [Top] [All Lists]