[ietf-dkim] RE: I think we can punt the hard stuff as out ofscope.
hsantos at santronics.com
Sat Jun 9 04:27:01 PDT 2007
Isn't this is a contradiction here?
First you made a statement that the "DKIM WG has no authority to create
a policy framework describing the overall use of email, just the use of
But then yet you just went ahead and described one anyway, further you
went ahead and dictated receiver design.
Just think about this:
Do you considered a message that is not DKIM signed has a presumption of
invalidity? Thus promoting a SSP check?
Whether you do or not, your angle seems to be to dictate local policy,
how systems will be design, how email is to handled, how verifiers must
tolerate abuse, how optimization, scalability and overhead is or not
considered and worst, how we need to present all this to customers in
ways that may not be appropriate to them, thus increasing the adoption
In any case, I am happy to see more SMTP system vendors, especially from
larger systems, voice their input here.
Hector Santos, CTO
Jim Fenton wrote:
> It's somewhat of a political issue: I don't favor a NOMAIL policy
> because I don't feel that the DKIM WG has the authority to create a
> policy framework describing the overall use of email, just the use of DKIM.
> What a non-mailing domain can do that is almost equivalent and within
> scope is to express a policy that they sign everything, and an
> expectation that receivers should receive signed mail from the domain,
> and then publish no public keys (selectors). If the verifier can't
> retrieve the public key, then the signature can't possibly be good and
> there's no use verifying it. The only extra overhead compared with a
> NOMAIL policy is that with NOMAIL it isn't necessary to retrieve the
> public key. But many verifiers will only do SSP if there's no valid
> originator signature, so they won't know of the NOMAIL policy yet anyway.
> So I think this could be accomplished in a different manner.
> Patrick Peterson wrote:
>> I read the posts as best I could and found some ambiguity.
>> I strongly believe nomail is important so I may be biased but it did not
>> appear to be cut and dry. In fact, some of the "No nomail" votes said
>> the objective could be accomplished in a different manner.
>> Since I didn't vote I do not feel I can raise the issue again. But it is
>> clear to me that summarily striking down any discussion of this item as
>> out of scope is not appropriate. Putting it in a box or deferring it may
>> be. But I would ask everyone to listen to the justification for nomail
>> regardless of when/if it is addressed. Many of our assumptions change as
>> design continues and input is received.
>> Would it help the discussion if large deployers of DKIM expressed their
>> opinions on nomail? (Again, they could express their opinions and this
>> item could still be held for later.)
More information about the ietf-dkim