Re: [Ietf-dkim] Rechartering

Tue, 03 Jan 2023 13:04:05 -0800 


On 1/3/23 8:59 AM, Todd Herr wrote:

On Mon, Jan 2, 2023 at 3:04 PM Evan Burke <evan.s.bu...@gmail.com> wrote:



    On Sat, Dec 31, 2022 at 10:44 PM Wei Chuang
    <weihaw=40google....@dmarc.ietf.org> wrote:
    > I'm worried about duplicating work unnecessarily as the M3AAWG
    has an email authentication BCP.  If the WG to-be indeed does want
    to generate the BCP, perhaps the M3AAWG document can be the basis
    for an IETF document assuming M3AAWG is okay with that, or the WG
    can partner with M3AAWG to produce a common document.  I think
    both are possible as there's a fair amount of people overlapping
    between the IETF and M3AAWG, and I know that M3AAWG
    organizationally wants to help here.

    I believe there's a revision underway for the general M3AAWG auth
    BCP doc, which will include a handful of sender-focused
    recommendations for reducing the viability of replay attacks.
    There is also a DKIM replay specific M3 BCP doc in progress with
    more in-depth recommendations.
Evan is correct on this point; there is a revision underway for the general M3AAWG auth BCP doc, for some values of "underway", anyway.
I'm the person who's taken on the responsibility for authoring said revisions, but I've been waiting for the M3AAWG DKIM Replay work to produce something tangible to ensure that what I write doesn't conflict with that work.
Yet another reason why I'm skeptical. If there were a viable protocol solution to this, why hasn't M3AAWG found it? Why re-spin up a working group with a what appears to be a greenfield solution space if an active industry working group hasn't chimed in? If there were some viable protocol solution, I would expect they would at least put it forward. Working groups are infinitely more productive if there is some collective agreement about the general parameters of a solution, even if the particulars need to be vetted. The couple of solutions I've seen thus far are either trivially breakable (= striping signatures at MDA's), or frightening to contemplate what they'd break (= tying envelope to message). That doesn't give me the warm fuzzies about any protocol level solution.
Also: if they are indeed working on a BCP, it would be far better to use that as input rather than reinventing wheels. 

Mike

_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

Reply via email to