[ietf-dkim] DKIM proposed charter tweak

[Stephen Farrell]

Michael Thomas wrote:
> Ned Freed wrote:
> 
>>> ------------------------------------------------
>>> While the techniques specified by the DKIM working group will not
>>> prevent fraud or spam, they will provide a tool for defense against
>>> them by allowing receiving domains to detect spoofing of known domains.
>>> The standards-track specifications will not mandate any particular
>>> action by the receiving domain when spoofing is detected.  That said,
>>> with the understanding that guidance is necessary for implementers, the
>>> threat summary should document a reasonable set of possible actions and
>>> strategies, and analyze their likely effects on attacks and on normal
>>> email delivery.  The DKIM working group will not attempt to establish
>>> requirements for trust relationships between domains or to specify
>>> reputation or accreditation systems.
>>> ------------------------------------------------
>>
>> This basically seems OK to me. I do question whether the threat analysis
>> document (which I guess we're calling the threat summary now) is the 
>> right
>> place for this, however. And even if it ends up being the right place, 
>> do we
>> really want to mandate the eventual location in the charter?
> 
> Right. This seems pretty clearly to me to be a BCP kind of
> thing. Which I think may be a pretty good idea, but it seems
> a bit of cart-before-horse to declare "best" and "common" before
> there's even a "common", let alone "best".

My impression is that there's no requirement for a comprehensive
analysis (of possible actions following receipt) at this stage, but
more for something with just a bit more coverage than an existence
proof (that there's at least one set of actions that make sense).
So the "reasonable set of possible actions" isn't meant to be
a very onerous target, or at least that's how I interpret it.

At a later stage someone could think of making up a BCP, but
like you said, that's a good bit down the road.

Stephen.