On November 15, 2022 3:12:22 PM UTC, Barry Leiba <barryle...@computer.org>
wrote:
>On Mon, Nov 14, 2022 at 11:03 AM Alessandro Vesely <ves...@tana.it> wrote:
>>
>> On Mon 14/Nov/2022 05:50:42 +0100 Roland Turner wrote:
>> > I'd point out that all but one of those things is either redundant (vs. say
>> > ARC), unacceptably harmful (we use DKIM *in the first place* to facilitate
>> > forwarding outside of the domain-registrant/sender's control), or both.
>>
>> +1, Scott is right when he says DKIM is working as designed.
>
>Well, yes and no. It is working as designed in that it was not
>explicitly designed to prevent replay other than through the x= tag.
>
>But as one of several people in this discussion who took part in the
>design, I can tell you that replay was absolutely considered, that we
>*wanted* to do more to prevent replay, and that *allowing* replay is
>definitely not "working as designed". We spent quite a bit of time
>looking at how we could deal with replay, but given what we knew and
>what our constraints were at the time (and the importance we thought
>replay attacks would have), we couldn't come up with something we
>thought was workable. We hoped that the problem would be minimal and
>that x= would be enough.
>
>We now have more experience, a better sense of which use cases and
>features are more important and which are less so, more awareness of
>how serious the problem is, different people with new ideas, and so
>on. I'm on the fence about the current proposals and have to think
>about and consider them more. I am NOT on the fence about the need to
>consider them -- and other possible solutions -- and to discuss and
>decide on a way forward.
>
>That's what this proposed working group is for. If you think that
>nothing should be changed and every proposed solution breaks more than
>it fixes, that's a perfectly reasonable view and one that needs to be
>part of the working group's consideration. I DON'T think that means
>that we shouldn't have the working group and have the discussion.
This seems right to me. We should see if we can do better, but one possible
outcome has to be that the likely side effects of fixing the replay problem
outweigh the benefits.
My concern with the charter is currently, the way I read it, the side effects
to worry about are limited to impact on DKIM and I think that's too narrow.
I'm still ruminating over specifically what to suggest.
Scott K
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
