Re: [Ietf-dkim] Comments on draft-chuang-dkim-replay-problem

Fri, 24 Mar 2023 09:59:56 -0700 

Murray,
I'll skip over comments that I think will be resolved as Wei incorporates my text or that I don't have a useful comment on... 

On 3/24/2023 9:38 AM, Murray S. Kucherawy wrote:

I think I concur with the suggestion that wa should drop discussion of 
ARC.  This WG, or the DMARC WG, can develop an update to ARC based on 
the outcome here if the community chooses to do so, but I don't think 
it should be part of this WG's premise.



sigh.  The draft only makes a quick, careful reference to ARC's having a 
similar vulnerability.  Given it's underlying similarity to DKIM and 
given that this is an introductory document rather than a specification, 
I think it appropriate to give the reader a heads up.  (FWIW, for early 
versions of the draft I was also inclined to want it out.  I think the 
current, brief text is, however, apt.)




Section 1.2:


The opening sentence that emphasizes non-use of RFC 2119, amusingly, 
forces you to include a reference to RFC 2119.  I suggest instead: 
"This document is not normative in any way."



As I recall, there was some discussion about this.  For one thing, the 
IETF really likes seeing the reference.  Including it ensures no hiccups 
in the mechanics of handling the document. (And, yes, it is amusing.)




Are we sure SPF and DMARC should be in scope for this work?  SPF feels 
irrelevant, and DMARC feels like a layer violation.  If we want to do 
so, we could refer the reader to the RFCs defining those protocols 
just to make them aware of the bits of the ecosystem, but then I would 
leave them out of the rest of the document.




Section 6 can simply say there are no security considerations for a 
problem statement document, though you anticipate some interesting 
ones in documents to follow.  :-)



Hmmm.  On the other hand, have some discussion of security-related 
issues in a section identified for that topic, might be useful for 
highlighting dangers or concerns.


d/


--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social

_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim






















					Reply via email to