Right, also because the document does not dig deeply into ADSP matter.
In particular, I think most of the issues discussed for
"discardable" hold unchanged for "all", and some of them even for TPA.
I would s/"discardable"/non-default/; for example

Furthermore, authors whose ADSP is published as "discardable" are
advised not to send mail to MLMs as it is likely to be rejected by
ADSP-aware recipients.

would become

Furthermore, authors whose domains publish a non-default ADSP
record are advised not to send mail to MLMs as it may be rejected
or dropped for policy reasons by ADSP-aware recipients.

(My tongue cripples on "non-unknown", but then I'm not an English
speaker.)

I have another couple of points, since I'm at it. On 26/Jul/10 14:02,
Because signing isn't but one of the five points that RFC 5451
proposes for recognizing authentic header fields. In particular, an
A-R written by a border MTA upstream of the receiver may be unsigned
yet trusted.

I think the following paragraph --554 replies-- is much better. But
how about grepping /554 .*ADSP/ from the log files? Consider appending
six words like so:

SMTP servers doing so are also advised to use appropriate wording
in the text portion of the reply, possibly using the term "ADSP"
explicitly.


The final suggestion I have is discussable. Hence I send it as a
separate message, according to the spirit of the prohibition quoted
above. "Yet another alternative mailing list approach" may deserve
being mentioned in the I-D, in case the WG find it's worth.

Hi, Murray,
finally got some time to review the -01 draft. Below are my comments.

----

3.2: typo: "... a address..." should be "...an address..."

3.3: in the light of the discussion on message digests, I'd suggest to
add text to this paragraph about MLM's turning multiple messages from
potentially multiple senders/authors into a new message, invalidating
the DKIM signature of the original message(s).

3.3: Just a note on subject tags you may or may not wish to add: some
MLM's offer the choice of appending a postfix (as an alternative to
prepending a prefix).

3.4: "... entire entire..." should be "... entire..."

3.4: "... but this not workable..." should be "... but this is not
workable..."

3.4: in addition to making the recommendation of sending periodic,
automatic mailings to the list, I would suggest to make the (implicitely
present) recommendation for an MLM, to not add header- and footer
sections, more explicit.

4. (and 5.) I would suggest to add one or two lines to the Introduction
paragraph (par. 1.2 or par 1.4, or add a par. 1.5) to explain that there
are different types of MLM's and they each are addressed in this
document, in different sections. Something along the lines of:

"In general there are, in relation to DKIM, two categories of MLMs:
participating and non-participating MLMs. As both types have their own
issues, regarding DKIM signed messages that are handled by them, they
are discussed in two different chapters (possibly a link to chapter 4
and 5)."

4.1 I get confused here: you write "the author is advised to be cautious
when deciding whether or not to sign the message". However, according to
par. 3.1 the author does not sign a message; that is being done by the
signer. Furthermore, if we change this phrase into "the signer is
advised to be cautious when deciding whether or not to sign the message"
then the question is: how can a signer (which is by definition not a
human being) know whether the MLM is non-participating. If the signer is
not a human being, there must be some mechanism by which the signer can
learn from the MLM that is is non-participating, but as the MLM is not
participating, it is difficult to propose a protocol between MLM and
signer to make the signer aware that the MLM is not DKIM aware :-)

The remainder of that paragraph explains things pretty well, but the
first few lines causes some confusion.

4.3 Under [ADSP]. "... Per that specification, when a message is
unsigned or the signature can no longer be verified, the verifier must
discard the message. ...". But this is only true if the author domain
publishes 'discardable'. So I suggest to change this phrase into: "...
Per that specification, when a message is unsigned or the signature can
no longer be verified, the verifier must discard the message in case the
author domain publishes an ADSP policy of discardable. ..."

5.1 Section 2: I wonder whether this paragraph is still required, in the
light of the 'reject policy' described in par. 5.5. After all, why
bother non-posting subscribers with these warnings? As soon as they
start posting, they will get a warning (i.e. a reject) when submitting
their first message and then they can change their policy or post using
another address/(sub)domain. I would suggest to remove this paragraph,
unless I'm overlooking something.

5.4 The title "Pros and Cons of Signature Removal" does not really cover
the contents of the paragraph. I would suggest "Signature Removal" as title.

5.4 I wonder whether there's any wording required here to describe what
an MLM should do in case of sending a digest. For example, MailMan
supports two types of digest, one of them being the multipart/digest
MIME type, where each message is sent as bodypart inside a mail. Should
the MLM try to verify the DKIM signature of all messages within the
digest and put the A-R for all of them in the header? And remove them
all? Presumably the answer is 'yes', but it won't hurt to describe this
explicitely.

5.6 At the end of page 18, beginning of page 19: should there not be
explicitely added "o 5322.

I went through -01 again.

Basically, it's fine. There's a few places where it says things that
are out of scope of DKIM. A signature either verifies or it doesn't,
and there's nothing inherently good or bad about that.

RFC 4871 carefully describes the way one verifies a signature, and
that process does't include attempts to guess what alternate form of a
message with a broken signature might have been signed. (Even Mike
admits it's against the rules when he does that.) A broken signature
is the same as no signature.

ADSP has some fairly specific advice about when not to use discardable,
which is relevant here.

Hence:

Sec 3.2 2nd pp on page 9: "most direct conflict operationally with DKIM" ->
"widest range of possible interactions with DKIM" or something like that.
I don't see any confict at all.

Sec 3.3 "the addition of some list-specific text to the top or bottom of
the message body." -> "modification of the message body." Lists do a
lot more than add tag lines, as described in subsequent paragraphs.

under Minor body changes: "pose an immediate problem" -> "will probably cause
any existing signatures not to verify." Broken signatures are not a
problem.

under Major body changes: delete "with little or no hope of
compensation by either the signer or the verifier." There's no
such thing as compensation beyond relaxed canonicanization,
which isn't relevant here

after "human list manager" add "who hand-edits messages" (that would be me)

next pp starting "In general", change first sentence to:
In general, an MLM subscriber cannot expect signatures applied before
the message was processed by the MLM to be valid.

Sec 3.4 2nd pp: delete sentence starting "The shortest path" Personally, I
think the shortest path is for the MLM's MTA to sign its outgoing
mail, but I don't think we have consensus either way, so just take
it out.

Last pp in 3.4: even if there were a new header, few MUAs would interpret
it. Suggest taking out "Rather than ... purpose" since it's not a
realistic alternative.

Section 4.1: There's no reason not to sign all the mail you send to a list.
Even if the MLM breaks the signature, the MLM itself can use the
signature when deciding how to handle the message. The implication
in the first paragraph that a broken signature is worse than no
signature is just wrong according to 4871. Also, [ADSP] says in
Appendix B not to send mail to lists from discardable domains. So
I suggest replacing the first paragraph with a sentence or two
encouraging people to sign mail sent to lists the same way they
sign mail to anyone else. In the second pp, change "If this is cause
for concern" to "For domains that publish strict ADSP policies"

Section 4.2: channelling Dave, standards shouldn't suggest heuristics.
So change the second sentence to something like "Sites whose users
subscribe to non-participating MLMs should be prepared for
legitimate mail to arrive with no valid signature, just as it
always has in the absence of DKIM."

Section 4.3: I'd just delete it. The second pp is OK, but people using
DKIM are supposed to know that already, aren't they?

Section 5.1: I'd strengthen it to say that since people aren't
supposed to send mail to lists from discardable domains in the
first place, lists should reject it or perhaps (for people who've
already subscribed so you know it's not spam blowback) drop the message
and send back a note explaining why.

Section 5.2, second pp: I don't understand the point of creating a
separate signing domain for mail you send to lists. Why would the
reputation of mail that people send to lists be better or worse than
mail they send anywhere else? It's the same people, I don't see the
point of a separate mailstream. ADSP isn't a good reason, since
it says not to use discardable for domains with human senders.

The third pp suggests that you're telling people to separate their
human mailstream from their transactions and their spam blasts. If
that's what you mean, I agree, but I'd encourage you to trim down
the section and reword it to say so more clearly.

In Section 5.4, either delete it or add a sentence at the front that
says THE ADVICE IN THIS SECTION IS SOLELY INTENDED TO WORK AROUND
BRAIN DAMAGE IN FILTERS THAT DO NOT IMPLEMENT DKIM ACCORDING TO THE
SPECIFICATIONS.

(Well, adding an A-R header isn't, but removing signatures that
might be broken sure is.)

In Section 5,5, add a ref to [ADSP] Appendix B.5 which says not to
send discardable mail to lists.

In Section 5.6, first pp: add a sentence noting that recipient system
will likely use the MLM's signature to recognize list mail and
develop a (presumably good) reputation for the list itself.

In Section 5.7 add to the end "if senders misuse ADSP" or the like.

Section 5.9, second pp: change to
Receivers are advised to ignore Authentication-Results
header fields that are not signed by a credible signer.

(Bad guys can sign fake A-R headers.)

Section 5.9, third pp: if a message fails "discardable" the receiver
should discard it, not reject it. This avoids the bouncing off the
list problem, and you're just following orders -- they said it was
discardable, after all.

Sections 6, 7, 8, and 9 are flawless.

R's,
John

PS: If I didn't say so before, thanks for all the work you've put into
this.

Murray, et al,


I think the Introduction's first paragraph is the best summary of DKIM that's
been written for any of our document's, so far.

Throughout the document, there is a tendency to offer advice without
justification. While I, of course, think the advice is good, the fact that it
is cast as advice means it needs to carry a statement of efficacy. Why do
things this way? Why not do them some other way? Advice requires a context of
tradeoffs.



SUBSTANTIVE
===========
The word "should" implies an intent to make a normative statement. This
conflicts with the stated goal of Informational status. So does the distinction
between Normative and Informative references.

Either the goal should be BCP (or even Proposed) or perhaps the language for
this type of statement needs to be softened to something like "Under what
circumstances does..."

My own guess is that this document should target BCP. However on further
reading I came to the conclusion that this might be two documents, one BCP per
its original goal and one Proposed, defining value-added semantics. See below.
This might not need "fixing" but I found myself asking what it means for an MLM
to "use DKIM identifiers"? Perhaps in an Introduction it's ok to say this
without prior setup. Dunno.

Of the four bullets, aren't the latter three the details for the first one?
This is a philosophical question: Given a document making normative statements,
aren't the definitions upon which it bases those statements themselves
normative? How can foundational language for normative statements not, itself,
be normative?
The concept of streams is discussed in the Deployment doc (RFC 5863):

<http://tools.ietf.org/html/rfc5863>

and the DKIM Wikipedia article:

<http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail>

I suggest citing them. We should make sure this doc conforms to their
definition of explains its variation.

By my reading, your text does conform, but your definitional sentence probably
offers a more explicit and complete definition than the other docs.

However...
If the reference to subdomains isn't for d=, then what does it refer to? If it
does mean the d= value, then the sentence wording is a bit confusing.

More conceptually, what way other than d= subdomains is within the scope of the
DKIM signing specification, for distinguishing among streams?
I've been finding myself distinguishing between responsibility for content
versus responsibility for initial handling, and using the term "author" for the
former. "Sender" or "originator" seem to refer to the latter. Your use of
Originator seems to match this.

I've gotten diligent about using the word "content" since that seems to be a
magic way to get people to focus on substance rather than matters of form. That
is, it's where "responsibility" gets much more serious.
This sentence hangs there, without a label and without context. What is the
reader to do with it?
While the content of this section seems useful, it doesn't really discuss either
of these as "alternatives". In fact, I initially thought the title meant them
as alternatives to each other! Only by reading later sections did it occur to
me that you meant each to have a "non-" form offered as the alternative.
It occurs to me that the term "DKIM-friendly" would be far more useful if it
were first defined. I suggest that up in Terminology it be introduced. No
doubt, the details for the term will be subject to some debate. Best conduct
that debate during definition, rather than in the middle of its substantive use...

(It's only used other time, up in Section 1, but my sense is that as a group
we've been using the term more and that it might be worth making it a real
technical term of art.)
That sounds very much like a SHOULD NOT. Assuming the doc is really going to be
normative, then now's the time to start using the right language.
List policy details? Huh?

1) I don't really know what that means

2) I'm not sure why this is being mentioned here

3) Any use of the word "policy" usually works against doing productive work
in these groups.

Seriously. Show me an IETF "policy" specification that's been successful. Show
me a second one.

And "for that purpose"? What purpose? Again, I've missed the context.

Has this morphed into a more general MLM BCP? (I assume this is what the
earlier discussion of such a BCP, sometime back, was about.)
This is the sort of guidance that is comforting to the writer, but has no
practical benefit. Never mind whether an author is ever going to know the
required information. The guidance "be cautious" has no meaning or, at least,
no meaning in a technical specification seeking substance and precision. The
later text, two paragraphs down in the document, acknowledges this problem.
This text suffers the same problem. Site administrators can't be expected to
have enough knowledge or time "to consider" much about this topic. Rather, this
document should give simple and direct guidance for their choices. Language
like the following "A common suggestion" is exactly what they need an direct,
prescriptive form.

With respect to the guidance being given, there is a gaping hole that is implied
but not cited, although we've already seen it in the wild:

If an organization insists that all mail be signed under the same domain
name that is in the From: header field and it publishes a strict ADSP record,
then it is not possible for mail from that organization to go through a mailing
list. Ever.

Messing with d= is of course irrelevant to this problem.
And my point is that this language is too soft, modulo debating what "more
strict" means. The document should make a simple statement of the condition and
a simple statement of the result, since I think we understand both.
I think everything said in this section is probably correct, but I am not sure
what it is referring to, within the scope of DKIM. What technical actions do
"Verification Outcomes" refer to?
This sounds reasonable, but I'm hard-pressed to believe it's practical.

I think the danger, here, is that listing impractical alternatives gives the
impression of having resolved something that actually remains unresolved.
This is off-topic, but I keep wondering whether there isn't an opportunity for a
value-added function in the form of a header-field, which says something like
"the presence of this header field, when signed by DKIM, means that the contents
cited in this header field are asserted to be 'valid'...

So, for example:

DKIM-Valid: From, Date, Subject, Body

could mean that the signer claims all of that information is "correct", not just
carried correctly. Of course, the signer's DKIM h= also have to cite those
fields, as well as DKIM-Valid.

I think the hard part, here, is deciding whether the signer's d= has any
constraints, and what a receiver might or might not do, depending on who did the
signing.

but as I say, this is off-topic...
I don't think I understand what this means. What is "selective signing" and
where is the basis for giving directions about it? This is being used as a term
of art, but I don't think it's been defined and I think that there isn't
community consensus about it. And I'm not sure that anything about it is
dependent upon MLMs.
"Trust"??? What does that mean, exactly, here? It needs to be defined. Seriously.
Oh boy. No doubt this really is good advice, but ultimately it's based on a
value-added semantic that isn't written down anywhere, nevermind "approved"...

Again, I think this document really has two heads -- and possibly three -- and
probably needs to be split into two or three documents. One of them is a BCP
per the original goal. Another the other is a value-added technical
specification for Intermediaries that support DKIM. The third is that generic
MLM doc that folks have been mentioning.

The alternative is to go back and redefine the semantic of a DKIM signature. I
suspect that would cause some existing signers to stop using DKIM, since their
basis for using DKIM entails a much lower level of meaning that is being implied
here.

To be clear, I'm not saying that the value-added semantic is a bad idea. Merely
that it needs to be defined explicitly and, hopefully, in a generic fashion, so
that a receiver does not have to wander all over the header fields trying to
asses assorted interdependencies, before being able to determine what a
signature or a header field means.
DKIM and ADSP evaluation are not performed during an SMTP session, unless the
session is delayed after the crlf.crlf, and that's not supposed to happen.
Although this is useful text, it isn't in a form that's appropriate for a BCP.
I'm not sure what to suggest.
MLMs SHOULD apply a DKIM failure reporting mechanism, for providing feedback
about...




NITS OR UNCONTROVERSIAL
=======================
...to make a claim of responsibility by affixing a validated domain-level
identifier to the message...
Given the short history of DKIM use and the fact that this document will live a
long time, making normative assertions is a bit risky. Perhaps:

One configuration of DKIM use attaches the DKIM signature as a message
passes through a...
Good list. I suggest adding two figures that show a before and after example of
a message, reflecting these modifications.
First sentence really is redundant. Perhaps instead:

However note that MLM's vary widely in their behavior, as well as often
allowing subscribers to specify individual treatment. The above list also does
not...
I think the signature doc is the only "DKIM specification document". Singular.
Given how often people say DKIM when they mean ADSP, we'll do better to refer
to them separately. Especially for this statement, since ADSP does not refrain
from the notion...
This isn't a comment on this draft. It's a broader question: I think I'm
seeing "signing domain" used as the common reference for d=, rather than the
newly-minted SDID term. Does that match other folks' perception?
ADMD could sign any message -> ADMD handling a message can sign it
Awkward wording. Might not be understood if the reader does not already know
this point. Perhaps:

In particular, DKIM does not define any meaning to the occurrence of a
match between the content of the "d=" tag in the DKIM-Signature: header field
and the value of (for example) a domain name in the RFC5322.

Why not? My MTA usually does a whole spamassassin run between the end
of data and the ack. It adds maybe five seconds, at a point where 5321
says the timeout should be ten minutes.

R's,
John

My replies inline. In a few places I've argued in favour of leaving the current text as-is, but I'm open to further debate of course.
I think in some ways it is definitely the question, but taking up a posture of "How can MLMs fix themselves to work in the DKIM world?" is not the right way to put it. As I'm sure others will be quick to point out, a lot of the things MLMs do are entrenched, perhaps reasonably so, and it will take a lot of hard arguing to convince them to change and for everyone to roll out those changes and participate, affecting countless users.

The softer approach taken here is to evaluate the impact of not changing and contrasting it to what things would be like if they did, and let them decide for themselves.
Done.
The 2.x sections are just introducing terminology and references to other documents where such terminology is discussed rather than discussing the material there.
You're right. 1.1 can just refer to 3.3.
True; I suppose I thought what was said there was enough to evoke people's imaginations, but I'll make that more explicit.
Actually on re-reading, Section 3.4 doesn't really fit in with the rest of Section 3, which just lays out the current story. Thanks for these suggestions.
You're right; "filtering" there should refer to the sign/don't-sign decision 4.1 discusses. I'll fix that.
The title of Section 5 is meant to cover a number of sub-issues that come into play when considering activity to, from or through a participating MLM. Certainly the author stream is part of that.
I agree with the repositioning of the first paragraph, but I think the section headings are fine.
I've done some other rearranging in there now. Let me know what you think once -02 is published.
Since the rest of Section 5 is a walk-through of the various steps of the processing of a signed message as it arrives at and transits an MLM, I think this text is in the right place.
Done, but only for the last one; I think the back-reference to adjacent sections is a bit redundant.
Did some reworking of these as well.
You're right, this is incorrect. What should be signed is the MLM Output.
I think that's probably a good idea. I've added a "Wrapping..." section at the end of Section 4.
I don't think this is necessarily a bad idea -- indeed, early data from OpenDKIM suggests this may even be likely -- but I don't know that this document should recommend or suggest it. It certainly is something an MLM implementer could decide to do.

On the other hand if the data collected by the WG shows that signature survival rates are generally pretty high, maybe this isn't such a crazy idea.
I think it fits within the overall Section 5 (Participating MLMs) story, so it's OK where it is.
Yes.
Yes, this needs clarification. I'll do so in -02.
I've used your text in a bit of a simpler form.

Thanks for your feedback! I'll watch for your "MUA Considerations" text.

-MSK

Oh no. (That is. we shouldn't not bother.) There's plenty of good
stuff in your draft, but on reflection I think the key is for the DKIM
camp to be modest in its claims and goals. Mailing lists do what they
have done for 30 years, and they're not going to change in any major
way. To the extent that DKIM can help them do what they're going to
do anyway, it's useful.

The discussion of different kinds of lists is certainly helpful, but
we risk going into the weeds when we start getting into complex
analyses and advice for scenarios that seem (to me at least) pretty
far fetched.

So, for example, one of the things that lists have always done is send
mail to people who have subscribed and presumably want it. Signing
the outgoing mail should help receipients recognize the mail they
want, so it makes sense to recommend that.

On the other hand, providing per-contributor reputation clues to
subscribers (beyond what's on the From: line) is something that lists
have never done, so I think it's a poor idea to try to invent ways to
do that.

Does that make sense?

R's,
John

No, but the entire document is riddled with advice that has no basis
in experience and is unlikely ever to be implemented.

We have a serious problem that people in this group have deeply
incompatible ideas of what DKIM does. A lot of the arguments seem to
be from people who believe that a DKIM signature can or should
identify the individual author of a message, and that subscribers to
mailing lists need assurances about the identity of list authors
beyond the minimal level that has been adequate for the past twenty
years. I have trouble understanding how anyone who is familiar with
DKIM or with the operation of mailing lists could hold these
positions, but it is quite obvious that some do.

At this point, unless we can cut back the MLM document to stick to
items that we have consensus about, e.g., that it is typical for
signatures applied to incoming mail not to verify after a message
passes through an MLM, and that it would be nice if a list or its MTA
signed its outgoing mail, I don't think we will produce anything that
is useful to anyone.

R's,
John

"e.g." means "such as" or "for example."

I expect there's a fair amount we agree on. Maybe it's enough to be
worth documenting, maybe not, but I think it would be more productive
to see what we agree on rather than trying to force our pet projects
into the document.

I'll cheerfully give up references to S/MIME, if other people will
give up on telling software developers how to rewrite MLMs to do
things they've never done before.

Don't forget that an experimental RFC is the accepted way to document
a paper design to see if it gets any traction, as the EAI group did
with various ways to represent non-ASCII e-mail addresses.

R's,
John

If we want to increase adoption of DKIM today, then I think there
is value in a document that explains in plain words what DKIM
actually does, in terms of what mailing lists actually do, and in
terms of how MUAs actually work, common traps and pitfalls included.

If we want to increase adoption of DKIM in some distant future,
then we would need to speculate about what that future would look
like, and that is not useful.

Wietse