[ietf-dkim] Review of DKIM Sender Signing Practices (draft-ietf-dkim-ssp-01)

Charles Lindsey chl at clerew.man.ac.uk
Thu Dec 6 04:12:46 PST 2007 

On Wed, 05 Dec 2007 14:18:09 -0000, Scott Kitterman  
<ietf-dkim at kitterman.com> wrote:

> On Wednesday 05 December 2007 08:53, John Levine wrote:
>> >How would doing this work change what verifiers do after the RFC is
>> > deployed?
>>
>> Probably not much, but it will help rein in unwarranted expectations
>> by senders that publishing SSP will affect what happens to their mail.

Exactly. Verifier implementors who do not read the document carefully  
enough (Shock! Horror! they wouldn't to that would they!) will see all  
those "Verifiers MUST" statements and deduce that they are obliged to  
follow them exactly. Which will discourage them from trying innovative and  
imaginative techniques which might, in the long term, lead to impprved  
filtering of 'suspicious' (or even 'not so suspicious') messages.

And let me remind you that this thread started exactly because Dave  
Crocker (who maybe should know better) misread those "MUST"s in exactly  
that way. If even the people on this list can mis-read the draft, then  
that is a clear indication that its wording needs to be reviewed even  
though it does, when read carefully, say the right thing.
>>
> It sounds like a lot of work to say the same thing to me.  I don't think
> increasing the quantity and type of ways that the draft says it doesn't
> mandate what receivers will do is a value added use of anyone's time.

Extra work that results in implementors making fewer mistakes is NEVER a  
waste of time.

FYI, here is the wording that I suggested again. It isn't necessarily a  
pure addition, since it might enable some other less obvious statements of  
the situation to be taken out:

> "This document describes processes for what verifiers are expected to do
> in order to achieve what the signers intend.
>  But these descriptions are not Normative since there is no compulsion on
> verifiers to follow those processes exactly as described, or even at all.
> Therefore, use of the terms "MUST" and "SHOULD" in these descriptions
> merely indicate the steps verifiers need to take if they want to claim
> adherence to the particular set of processes described here."

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

More information about the ietf-dkim mailing list