Last Modified: 2005-10-17
64th DKIM BoF draft minutes --------------------------- The DKIM BoF occurred on Monday Nov. 7th at 1pm, approximately 120 people attended. Excellent jabber log: http://email@example.com/2005-11-07.html Meeting materials (scroll down to DKIM): https://datatracker.ietf.org/public/meeting_materials.cgi?meeting_num=64 Meeting audio: http://limestone.uoregon.edu/ftp/pub/videolab/media/ietf64/ietf64-ch6-mon.mp3.1 Summary ------- The BoF covered introductory stuff, a walkthrough of the draft charter (and discussion theron), and presentations about the proposed WG deliverables. During the discussion a range of opinions were expressed, ranging from concern about the scoping and potential impact of DKIM some years down the road, all the way to coments that the the barrier being placed here was far too high for WG-formation. On the technical front, there were some concerns about the sender signer policy proposal, which clearly needs work. At the end of the BoF the chairs asked for a hum as to whether or not a wg with the proposed charter should be chartered. The result was a fairly overwhelming positive hum for WG-formation. Actions: 1. Keith Moore took an action to try propose some charter text he'd find more acceptable. 2. There was a proposal to include within some (possibly new) deliverable, with postive guidance (as opposed to text complaining about lists "breaking" things) about how DKIM and mailing lists might co-exist. Stephen Farrell took an action to bring this proposal to the DKIM list. 3. The BoF chairs will work with the AD (Russ) to get the charter into the state required for an IESG decision on wg-formation. BoF Agenda ---------- 1. Agenda & introduction (10,Farrell) 2. Walk through proposed charter (15,Leiba) 3. Discussion of proposed charter -- open (20,Leiba) 4. Walk through threat analysis -- Fenton (15) 5. Walk through base spec -- Allman (10) 6. Walk through policy spec -- Allman (10) 7. Introduce other deliverables (10, Farrell) 8. Open discussion of specs & deliverables -- open (20, Farrell) 9. Decision: should a WG be formed with this charter? (10, Farrell) The presentations and audio are available for the above, so these minutes will just cover items #3, #8 an #9. Charter discussion ------------------ - Doug Otis says that he strongly approves of DKIM but has serious problems with SSP and would like to see it out of scope. Barry Leiba responded that one possible outcome of the WG would be that SSP is dropped, and on that basis including SSP as in-scope is justifiable (since there are others who do want it in-scope). - Doug also apologised for the way he'd written an "alternative" version of Jim Fenton's threats document, but explained that he'd found it too hard to suggest discrete changes in the time available. - Keith Moore wondered whether we knew which problem DKIM was addressing and suggested that perhaps if we charter DKIM we will miss the opportunity to study this problem. - Mike Thomas said that we've been studying the problem for 1.5 years already and wondered when we'd get beyond that. - Barry noted that one thing that was considered useful was the ability to turn-up/down filters on the basis of whether the message was DKIM signed (or not). - Keith stated that if the group were trying to solve the phishing problem then that'd be a great discussion to have, but he found the proposed charter to be too vague and would prefer it were at a level where specific details could be discussed. Barry suggested that Keith suggest some changes to the charter text which would satisfy that concern. Keith agreed to take an action item to make such a suggestion. - Chris Newman suggested that the policy work proposed in SSP might be considered as research, which is interesting research, but which can only happen if there's a basis on which to do the research. That basis appears to be provided by the base DKIM specification. Open discussion --------------- - Doug Otis noted that the threats document doesn't properly address DoS issues. Barry asked whether Doug's independent threats draft had text on that. Doug said it did. Barry said that or some equivalent would be incorporated since the topic is definitely in scope for the document. - Doug noted some additional problems he has with SSP. Barry encouraged Doug to be active in the WG on this topic, but said that at this stage we are focused on chartering, so the details of SSP are for the putative WG. - Jim Schaad said that he had some problems deciding whether or not DKIM should be chartered and noted that he had a problem understanding the proposed work from reading the threats document, (but had figured it out from the base specification). Jim asked for the threats document to include a short abstract description of how DKIM would work. Stephen Farrell said that that was planned for inclusion as the document becomes a WG draft. - Sam Hartman stated that as an IESG member (but not the responsible AD), as things stood at that point, he wouldn't like to see DKIM chartered, since DKIM, if successful, would change how email is handled on the Internet over the next 10 years, and he'd rather that the community were happy with that before the work started. Sam suggested that a BCP may be needed which codifies the changes to the mail infrastructure which are caused by DKIM. (*) Note; Subsequent to the meeting Sam clarified that he mainly meant that he wanted the community to get a chance to consider this before DKIM starts - he wasn't calling for the BCP to be written in advance. - Keith Moore stated that he finds there's a lot of confusion about authorship vs. transmission vs. origination for messages and he's getting different messages from different DKIM proponents. - Eliot Lear reminded the room that when MIME was started we hadn't intended the outcome which may not be what we expect and that we shouldn't be setting the bar so high that nothing gets done in an area. - Malcom Cartier suggested that SSP be excluded from the scope as inappropriate since it's placing responsibility for determining the truth onto the verifier and the purpose of doing this is for the benefit of the domain owner. He said that that wasn't an engineering issue but rather social and/or legal one. - Dave Crocker said that the problem was the DKIM is a small discrete mechanism for adding an identity to a message but the problem is that it scares the &^*% out of us. Dave reiterated Eliot's comment about not setting the bar too high. - Keith stated that the problem was that DKIM didn't do anything useful, and people want to solve spam, phishing etc, which DKIM doesn't do. Keith thinks a lot of people think that DKIM does something close to useful which makes it more likely to encourage confusion rather than a useful result. Barry asked Keith whether there is utility in "I signed this, please whitelist me?". Keith believes it is useful for authors to give domains a way to sign messages such that recipients can verify. - Responding to Eliot's remark, Keith recalled that the MIME work initially was just addressing 8bit but the idea of attachments wasn't there. If by chartering DKIM we could get a discussion going that would result in a real solution then Keith would be all for that, but the problem is that we can't get a WG without a concrete solution and then we're stuck with that - DKIM is a good starting point but we sould not constrain ourselves to that. - Pete Resnick (not as an IAB member) said that DKIM doesn't purport anything. DKIM is a mechanism. We should get away from trying to judge DKIM as to what it would be useful for 20 years for now. If you can see that it is useful to solve some small problem today, that's enough. That said, listening to Sam, part of the problem is that DKIM once deployed, might require folks to use it, so it is a potential disruption to the infrastructure. But we also need to look at the current disruption of the infrastructure and we need to measure those two things and make a judgment as to whether things will be better or worse. - Sam Hartman stated that SSP should be included if we charter. He agreed with Pete: what he had been saying was that we need to commit to that potential for change and document the change in the class of service that might result. He was not saying that DKIM was bad. - Russ Housley expressed a concern about having to do a BCP before chartering. - Jim Fenton noted that there isn't anything in the DKIM specs. including SSP, that mandates any bad behaviour. Maybe you know something about the signing address, maybe you don't and we have a large body of unsigned messages, and what the alleged sender would like you to do with those unsigned messages. Stephen agreed that handling unsigned messages was hard and without something like SSP it might be very hard. - Harald Alvestrand said he hadn't read the drafts but has been listening to the discussion and was trying to put himself in the shoes of someone who brings work to the IETF who was less polite. If he was told that he was going to have to have consensus on something that might or might not occur 10 years out he would walk away. This discussion was about whether the IETF will be allowed to contribute to this effort. The IETF may not have input if it insists on operating this way. [The audience applauded this contribution.] - Jim Galvin noted that the document speaks in terms of how mailing lists break signatures and DKIM which is an unfair characterization. Mailing list managers are good actors. You just need to tell them what the right thing to do is. The BoF chairs agreed that this was in scope and presenting a positive view of what mailiing list managers could do was a good idea. - Doug Otis agreed that the base spec provides a good mechanism but said SSP does talk about good and bad behavior. The vast majority of people would not want to be as restrictive as a bank, and so he thinks we want to figure out how to special case the bank and optimize for the general case. Barry encuraged Doug to come to WG meetings and help us to sort that out. - Keith, in response to Harald: it's really easy to say that DKIM is really simple. Over the years we've seen lots of simple proposals that we thought wouldn't have unintended consequences. Barry Leiba noted that we can consider consequences in the WG, the point is that we don't have to do it before hand. - Bill Somerfield had a similar comment to Jim Galvin. He thinks the charter should specifically address mailing lists. - Mark Delany would like to put a vote in for SSP in some form, perhaps not necessarily the current form. - Richard Shockey agreed with Harald: every possible protocol we develop could have unintended consequences. - Bernard Aboba noted that the biggest problem is unintended consequences coming from things that are useful not things that are not useful. Decisions --------- Barry asked the room to hum if they wanted a WG formed as described in the charter (assuming modifications to reflect the meeting). There was an overwhelming hum for WG formation on that basis.