[ietf-dkim] Re: MASS/DKIM interim minutes posted

Jim Fenton fenton at cisco.com
Mon Sep 12 22:50:31 PDT 2005 

Douglas Otis wrote:

>
> On Sep 9, 2005, at 8:44 AM, Jim Fenton wrote:
>
>> Presentation slides and interim minutes from the MASS (DKIM) BoF at  
>> IETF 63 in Paris have been posted to the IETF website:
>>
>> https://datatracker.ietf.org/public/proceeding_interim.cgi? 
>> meeting_num=63
>>
>> (search for "MASS")
>
>
> (Doug Otis): Replay abuse is a problem; don't consider the spec as  
> written as sufficient. {Exclusion of reputation from the charter is a  
> problem; it needs more visibility.}
>
> I do not recall my exact words, I am sure this was not what I said.   
> "The impact upon the domain's reputation has not received sufficient  
> consideration either."  I have attempted to expand upon that issue  
> within the mass-reputation draft.  This is _not_ related to  
> establishing reputation or accreditation services, as seemingly  
> understood.  I have steadfastly said these services are a separate  
> issue, while protecting one's reputation is not.

Here is what was said, pretty much verbatim:
=====
(Doug Otis):  This is Doug Otis.  I tend to think that you're right that 
replay is a feature; however, replay abuse is obviously a problem that 
needs to be dealt with.  I don't feel that the spec as it's written 
today deals with that problem, and it was an issue raised also, I think, 
in Russ's review.  The exclusion of reputation from the charter makes me 
wonder how we're going to elevate that to enough stature that it's dealt 
with properly.  And so, that becomes a concern I guess related to how 
you go about chartering it, when you are ignoring, I think, a fairly 
important aspect of what this can be used for.  In terms of saying that 
this is good for phishing I think that there is a lot of work to be done 
in that area as well.  I understand that there are already things on the 
table to try to fix some problems that exist with respect to how you 
would deal with a phishing attack.  I could add several ideas in that 
area, but there's also, when it comes to trying to protect the 
reputation, which would be the spam issue, there are a lot of things 
that need to be done there as well and they're not in the current drafts.

(Jim Fenton):  Well, with respect to reputation and accreditation, I 
don't think any of the people that are working on this -- let me state 
it in a positive way -- I think all of the people that are working on 
this feel that those are important issues.  The question is whether they 
should be done within this working group at this juncture, or whether 
they might be taken up in parallel or perhaps as a revision to the charter.

(Doug Otis):  I guess I should restate what I was saying.  I am not 
talking about how you would hook into a reputation system or hook into 
accreditation; I think I'm quite willing to see that left open.  But 
what I'm talking about is how you can make this mechanism suitable for 
such future use.  That I don't see as a property of the current spec, or 
the current draft.
=====
I may have over summarized a bit (or I wouldn't have gotten the minutes 
done on time!) but I think I captured the gist of your first comment 
properly.  I did omit your clarifying comment after my response, so how 
about if we add the following after my response in the minutes:

(Doug Otis):  To clarify, this isn't about how to hook into reputation 
and accreditation systems, but rather how to make the signature 
mechanism suitable for such use.

OK?

-Jim

More information about the ietf-dkim mailing list