The DKIM working group met at IETF 68 in Prague on Wednesday, 21 March 2007, at 09:03 local time. The main goals of the meeting were to finish up the SSP requirements document, to move the SSP protocol work along, and to discuss the overview document's future. *** Document status: - The base specification is in the RFC editor's queue. - The SSP requirements doc is almost done; discussion on that is on the agenda. - The SSP protocol doc will start with a merged version of the two major proposals. - The overview doc may be split; discussion on that is on the agenda. There was a brief discussion about CRLF issues in the base spec. Minor issue; an informative note will be added during AUTH48. *** Presentation by Mike Thomas (via Jim Fenton) about SSP requirements. Summary of status & minor edits. Two significant issues: 1. tracker issue 1399: must the protocol be able to publish statements for the domain and its subdomains? If not, attackers can make up subdomains, which will have no policies of their own. Concern is that walking up the domain hierarchy could be costly (too many queries too often). Comment: Filters will decide that subdomain combinations look fishy, and will reject without doing policy queries. Comment: RRs or underscore prefix might be able to satisfy this. Conclusion: Retain this requirement. 2. tracker issue 1386. Phillip has proposed text: "10. The signing policy statement MUST be capable of fully describing a signing practice in which multiple signatures are always provided such that the policy is of utility to any verifier is capable of verifying any of the signatures that are always provided. Such a mechanism MUST NOT: - Require the verifier to perform any additional DNS lookups - Require duplication of configuration data - In particular not require the policy record to provide for the description of any cryptographic or canonicalization algorithm" Should this requirement go in, or not? Initial discussion relates to multiple signatures (such as algorithm transition), shows confusion about the issue and disagreement about whether it's really a problem. Further discussion held until Phillip's presentation later in the meeting. *** Presentation by Jim Fenton about SSP protocol. We originally had four proposals; one was withdrawn, and consensus is to merge two others and use that as the basis for the WG document. The merge is between the proposal by Phillip and the one by Jim & Eric. Jim discusses the latest working version of draft-allman-dkim-ssp: - Removal of "user" policy. - More human-readable tag names (e.g. "dkimflag" instead of "t"). - Changes to algorithm, particularly with respect to subdomain walk. Open issues: - New DKIMP resource record vs TXT record. - "Strict" policy. - Policies limiting selectors, policies for transitions. - Use of PTR/XPTR. Description of new algorithm, followed by discussion. Discussion focuses on subdomains, wildcards, tree-walking. *** Presentation by Phillip Hallam-Baker about "compliance". The premise is that there's a distinction we're missing, where in addition to whether a signature verifies or not, there's the question of whether it's compliant with policy or not. This results in more than two states, and Phill sets it out as three: 1. Signed 2. Compliant with policy but not authenticated 3. Not compliant After the presentation and extended discussion on the question, the room was about evenly divided on whether the requirement Phill's proposing is needed. We need more working-group comments/discussion on this. *** Presentation by Tony Hansen about splitting the overview document into two or three documents. The point is to get the part of the overview document that give important information for early adopters out now, and then to supplement with new information as the group's work progresses. Comment: There's a lot of extra process work involved. Comment: That process work is on the authors and chairs, not much on the working group as a whole. Authors assert that they are committed to following through with all subdocuments. Conclusion: Allow the authors to decide whether and where to split the document. There will, of course, be WG approval as we go. *** Arvel Hathcock gave a brief presentation on "vouch by reference" status. This is not a working group item, presented here for information only. *** Murray Kucherawy briefly discussed his authentication-results header draft. This is not a working group item, but should be considered by the working group, at least for information & vetting. The meeting was closed at 11:26 local time.