On 14/11/22 20:07, Wei Chuang wrote:

On Sun, Nov 13, 2022 at 8:50 PM Roland Turner <roland=40rolandturner....@dmarc.ietf.org> wrote:

    On 13/11/22 03:05, Wei Chuang wrote:

    On Fri, Nov 11, 2022 at 11:17 PM Roland Turner
    <roland=40rolandturner....@dmarc.ietf.org> wrote:


         1. Unless one or more of the larger receivers (a) has a
            useful tool to help with this problem, and (b) is willing
            to share operational experience, then we risk creating
            yet another lengthy, academic exercise (remember ADSP?).
            I'd suggest that this might be enough reason by itself
            not to proceed.

    See the dispatch slides here
    
<https://datatracker.ietf.org/meeting/115/materials/slides-115-dispatch-dkim-replay-problem-and-possible-solutions>
 for
    operational experience and impact for at least Gmail and Fastmail
    (the presenters).  See the introduction.

    Thanks, but that deck appears to contain no information about
    operational experience or impact for either organisation, it
    merely describes the attack and surveys the proposed improvements
    to defences. Also, while Bron's role at Fastmail is clear, your
    own involvement with Google's receiving of email is not: are you
    in fact part of Google's email abuse control function?

Yes.  As to my role in this, I am a Gmail delivery team lead with responsibility over the email authentication systems.  The introduction in that slide deck represents the consensus description between the anti-abuse and delivery teams with feedback from Bron and others as to the behavior and impact of DKIM replay, and was based on a longer version presented at the M3AAWG 56 BoF that was shortened to fit into the allotted time for Dispatch.  I can also say that Gmail is very interested in seeing a DKIM replay solution be developed in the IETF.  Depending on how this goes, if the solution is technically sound and feasible, yes we will invest in prototyping the specification.

Understood, and thanks for clarifying. That addresses my concern, so long as "delivery team" and incoming protection teams talk!

My hope is of course that your presence in the WG will help remove the risk of a non-sound/feasible solution being adopted.


- Roland

_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

Reply via email to