To add chair support to Murray's comment: On Wed, Jun 22, 2011 at 13:17, Murray S. Kucherawy <m...@cloudmark.com> wrote: >> -----Original Message----- >> From: ietf-boun...@ietf.org [mailto:ietf-boun...@ietf.org] On Behalf Of >> Douglas Otis >> Sent: Tuesday, June 21, 2011 6:51 PM >> To: ietf@ietf.org; Barry Leiba; iesg-secret...@ietf.org; Sean Turner >> Subject: Last Call: <draft-ietf-dkim-rfc4871bis-12.txt> (DomainKeys >> Identified Mail (DKIM) Signatures) to Draft Standard >> >> [...] >> >> This indicates the DKIM specification is seriously flawed. While DKIM >> may not offer author validation, it was intended to establish an >> accountable domain for the signed message content that at a minimum >> includes the From header field. There are NO valid reasons for a valid >> signature to include multiple From header fields! Allowing multiple >> From header fields is _EVIL_ and destroys DKIM's intended purpose as >> defined by prior work. > > This purported security flaw and surrounding FUD was discussed at huge length > in the working group, and consensus was clearly against the idea of dealing > with > this in DKIM because it's the wrong place to address the problem. The > record, both > in the issues tracker and in the working group's archive, is quite clear > about this, > and both are open to public scrutiny.
Indeed. We gave this issue at least two clear consensus calls, and it's very clear that the rough consensus considers the kind of validation that Doug is asking for to be a good idea, but outside the scope of the DKIM protocol. That is, the validation ought to be done in another part of the software system. The document does actually advise that, and that advice is all that working group consensus was behind. Consensus also is that Doug is severely overstating the problem. This has been decided and re-decided. > And I find the tactic of taking a lost battle from a working group to the > IETF as > a whole to be akin to the "Mom said no, I'll go ask Dad!" strategy that I > outgrew > by the time I was a teenager... I, too, have a problem with how IETF last call is sometimes being used by working group participants to rehash issues. But that's a subject for a separate conversation, and not for here. Barry, DKIM working group chair _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf