[ietf-dkim] Lists "BCP" draft available

Mon May 17 04:36:20 PDT 2010

  Hi Murray,

Thanks for taking a shot at this.  Here are some comments on the Lists 
draft.

First, I support the draft becoming a working group document.

However, I wonder if it requires simplification with a bit more 
discussion as to motivation.  I'll get into some of that below.

Introduction 3rd and 4th bullets should use consistent terminology, so I 
suggest:

s/mailing list/MLM/

Section 1.2

>     MLM behaviors are well-established and standards compliant.

I don't understand what you mean by standards compliant.

Same section lower down:
>     However, the fact that the From
>     field of such a message is typically the same as for the original
>     message and that recipients perceive the message as "from" the
>     original author rather than the MLM creates confusion about
>     responsibility and autonomy for the re-posted message.

Isn't there standard terminology to distinguish between the From and 
from (e.g., SMTP-From)?

Section 1.3

FBL?  What a horrible misuse of an already common term.  Is there a cite 
for this or can we change it?

Section 3.1

I *love* the title of this section!!!

However- I believe we need to be careful to cite the source of these 
definitions, so as to avoid conflict should they change.

Section 3.2

>   The remainder of this document operates on the presumption that a
>     message going through a re-posting MLM actually comprises two message
>     transactions

s/re-posting/resending/

?

I think, by the way, that 3.2 should probably be expanded with regard to 
the logic behind steps 1 and 2.  Seems to me that's the thing that will 
help mailing list maintainers understand why the solution is correct.

Section 4.1.

I'm uncomfortable with this section.  I don't know how an author is 
supposed to know whether an MLM is a participant or non-participant.  
Moreover, discrimination at the enterprise level seems like a great 
opportunity for us vendors to sell more hardware without much customer 
benefit.

I would rather see this section simply say that messages originating 
from ADMDs that have strict ADSP polices are advised to not make use of 
either non-participating MLMs that corrupt signatures.

Section 5.1
> Authors may be well-advised to create a DNS domain specifically used
>     for generating signatures when sending traffic to MLMs

I think you have to be really clear on this point, because it can be 
read in one of several ways:

    * Author domain should be used expressly to transmit to MLMs, in
      which case you should make it clear when this should be the case
      (e.g., you couldn't imagine an entire enterprise redoing their
      email infrastructure to such an end)
    * The SIGNING domain and NOT the author domain should be used
      expressly to transmit to MLMs, in which case we have a problem I
      mentioned above;
    * Something else

Section 5.2:

>     In the case of verification of signatures on subscriptions, MLMs are
>     advised to add an [AUTH-RESULTS] header field to indicate the
>     signature(s) observed on the submission as it arrived at the MLM and
>     what the outcome of the evaluation was.

What if any level of operational trust should be placed in such a header?

Section 5.4

>     A DKIM-aware resending MLM is encouraged to sign the entire message
>     as it arrived, especially including the original signatures.

Would I as an MLM want to resign a message that I received that itself 
was not signed?  Do I want to confer more authority to that message than 
is warranted?

Eliot
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mipassoc.org/pipermail/ietf-dkim/attachments/20100517/a37bacc3/attachment.html 