DomainKeys Identified Mail (DKIM) and Mailing Lists
draft-ietf-dkim-mailinglists-12

[Ballot comment]
3.1:

  originator:  The agent that accepts a message from the author,
      ensures it conforms to the relevant standards such as [MAIL], and
      then sends it toward its destination(s).  This is often referred
      to as the Mail Submission Agent (MSA).

That definition is incorrect. The originator is not identical to the MSA. My secretary (whose address appears in the "Sender:" field of a message authored by me) is at least part of the "originator", but he is by no means part of the MSA. The MSA is a servce, in MAIL-ARCH terms. The originator is an actor role. I suspect in all of the definitions in this section, there is a conflation of these going on, but originator is the one that is most egrigeous.

5.1

  However, the practice of applying headers and footers to message
  bodies is common and not expected to fade regardless of what
  documents this or any standards body might produce.  This sort of
  change will invalidate the signature on a message where the body hash
  covers the entire message.  Thus, the following sections also discuss
  and suggest other processing alternatives.

I think the document ought to explicitly say something stronger along the lines of, "MLMs that are DKIM-aware ought to stick to header field additions only and not make changes to headers and footers."

(Note to IESG: Personally, I wish this document were part of the AS experiment and had even more MUSTs and SHOULDs. I will weep silently in my beer that it is not.)

[Ballot comment]
This is a complex topic full of difficult tradeoffs, but the document was a pleasure to read. Thank you for writing it in such a clear manner that it is understandable even by non-email experts.

[Ballot comment]
This is a fine document. One nit: in Section 1.2, please expand "ADSP" on first use or change "ADSP policies" to something like "DKIM author domain signing practices [ADSP]".

[Ballot comment]
One quite minor editorial comment; the rest of the document was well-written and this bit of text stuck out.  In Section 3.3:

  List-specific header fields:  [...]
      Therefore not seen as a concern.

Was the sentence fragment intended?

[Ballot comment]
I also dithered over the BCP/Informational issue.
However, the document seems to involve issues of end-to-end service provision where the service is improved by adherence to the guidelines. This takes it over the line into a BCP, IMHO.
If the impact of the document was entirely limited to within a single domain, I would say that it should be Informational.

I did not find the use of RFC 2119 language helpful, and would suggest writing guidelines in English, reserving 2119 language for normative protocol specifications or for emphasis in requirements specs.

[Ballot comment]
The 4th paragraph of section 1.2 (beginning "Some MLM behaviors") reads like motivation for starting a draft, rather than documenting the resulting discussion. Please consider updating its perspective or removing the paragraph.

[Ballot comment]
(1) I think section 5.2 is the "meat" of this basically, so would
suggest a forward reference to there from last paragraph of the
intro.

(2) In 2.5 should the 1st "i.e.," really be "e.g.," - that is, are
you saying "d=" is the *only* way to identify message streams?
If so, then perhaps make that clear. (I just don't recall if there
were other good ways. I do recall there being other bad ways:-)
 
(3) 5.4 is a bit unclear to me. I suggest just adding an example.

During IETF LC there was some debate as to whether this should be a BCP or an Informational draft (https://www.ietf.org/ibin/c5i?mid=6&rid=49&gid=0&k1=933&k2=56468&tid=1307983014 and https://www.ietf.org/ibin/c5i?mid=6&rid=49&gid=0&k1=933&k2=56466&tid=1307983014).  I decided to proceed with BCP because:

a) I do not believe that "BCP" needs to be taken literally.  Some have argued that we've published BCPs that were neither Best, Current, nor a Practice.

b) There is some BCP in the document (last paragraph Section 1 as noted in the write-up).  For me, no matter how small the amount it gets to be a BCP.

State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Subject: Second Last Call:  (DKIM And Mailing Lists) to BCP


The IESG has received a request from the Domain Keys Identified Mail WG
(dkim) to consider the following document:
- 'DKIM And Mailing Lists'
  as a BCP

This second last call has been made to enumerate a normative reference
to an informative RFC:

      Crocker, D., "Internet Mail Architecture", RFC 5598, July 2009.

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2011-06-17. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  DomainKeys Identified Mail (DKIM) allows an administrative mail
  domain (ADMD) to assume some responsibility for a message.  Based on
  deployment experience with DKIM, this Best Current Practices document
  provides guidance for the use of DKIM with scenarios that include
  Mailing List Managers (MLMs).

The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-dkim-mailinglists/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-dkim-mailinglists/


No IPR declarations have been submitted directly on this I-D.

State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Subject: Last Call:  (DKIM And Mailing Lists) to BCP


The IESG has received a request from the Domain Keys Identified Mail WG
(dkim) to consider the following document:
- 'DKIM And Mailing Lists'
  as a BCP

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2011-05-26. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  DomainKeys Identified Mail (DKIM) allows an administrative mail
  domain (ADMD) to assume some responsibility for a message.  Based on
  deployment experience with DKIM, this Best Current Practices document
  provides guidance for the use of DKIM with scenarios that include
  Mailing List Managers (MLMs).




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-dkim-mailinglists/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-dkim-mailinglists/


No IPR declarations have been submitted directly on this I-D.

Note that I'm going to decline to participate in Pete's AS experiment.  The "plan" was for Pete to try this experiment out on one of his WGs first.

PROTO writeup for draft-ietf-dkim-mailinglists-10

The DKIM Working Group requests the publication of draft-ietf-dkim-mailinglists-10 as a BCP. Alternatively, this document might be suitable for Pete's "Applicability Statement" experiment, at the Proposed Standard level.

  (1.a) Who is the Document Shepherd for this document? Has the
        Document Shepherd personally reviewed this version of the
        document and, in particular, does he or she believe this
        version is ready for forwarding to the IESG for publication?

Barry Leiba is the document shepherd.  I have reviewed this version, and am satisfied that it's ready.

  (1.b) Has the document had adequate review both from key WG members
        and from key non-WG members? Does the Document Shepherd have
        any concerns about the depth or breadth of the reviews that
        have been performed? 

The document has adequate review, and I have no concerns about the level of review.

  (1.c) Does the Document Shepherd have concerns that the document
        needs more review from a particular or broader perspective,
        e.g., security, operational complexity, someone familiar with
        AAA, internationalization or XML?

I have no concerns.

  (1.d) Does the Document Shepherd have any specific concerns or
        issues with this document that the Responsible Area Director
        and/or the IESG should be aware of? For example, perhaps he
        or she is uncomfortable with certain parts of the document, or
        has concerns whether there really is a need for it. In any
        event, if the WG has discussed those issues and has indicated
        that it still wishes to advance the document, detail those
        concerns here. Has an IPR disclosure related to this document
        been filed? If so, please include a reference to the
        disclosure and summarize the WG discussion and conclusion on
        this issue.

I have no concerns.  There is no IPR involved.

  (1.e) How solid is the WG consensus behind this document? Does it
        represent the strong concurrence of a few individuals, with
        others being silent, or does the WG as a whole understand and
        agree with it? 

There is consensus of the working group, as a whole, behind it.  A
minority of participants feel that the advice given in the last paragraph
of section 1 is all that makes sense, and that the rest of the document
isn't needed (see "Working Group Summary" later in this writeup).  Those
participants are willing to accept this document, nonetheless, seeing
no harm in it.

  (1.f) Has anyone threatened an appeal or otherwise indicated extreme
        discontent? If so, please summarise the areas of conflict in
        separate email messages to the Responsible Area Director. (It
        should be in a separate email because this questionnaire is
        entered into the ID Tracker.)

No.

  (1.g) Has the Document Shepherd personally verified that the
        document satisfies all ID nits? (See the Internet-Drafts Checklist
        and http://tools.ietf.org/tools/idnits/). Boilerplate checks are
        not enough; this check needs to be thorough. Has the document
        met all formal review criteria it needs to, such as the MIB
        Doctor, media type and URI type reviews?

There are no ID nits, apart from a reference issue (see 1.h).

  (1.h) Has the document split its references into normative and
        informative? Are there normative references to documents that
        are not ready for advancement or are otherwise in an unclear
        state? If such normative references exist, what is the
        strategy for their completion? Are there normative references
        that are downward references, as described in [RFC3967]? If
        so, list these downward references to support the Area
        Director in the Last Call procedure for them [RFC3967].

All references are properly separated and labelled.
There is a normative reference to RFC 5598, an informational document.  This document defines terms used in discussion of email architecture, and is widely referenced in this manner.

  (1.i) Has the Document Shepherd verified that the document IANA
        consideration section exists and is consistent with the body
        of the document? If the document specifies protocol
        extensions, are reservations requested in appropriate IANA
        registries? Are the IANA registries clearly identified? If
        the document creates a new registry, does it define the
        proposed initial contents of the registry and an allocation
        procedure for future registrations? Does it suggest a
        reasonable name for the new registry? See [RFC5226]. If the
        document describes an Expert Review process has Shepherd
        conferred with the Responsible Area Director so that the IESG
        can appoint the needed Expert during the IESG Evaluation?

There are no IANA issues with this document, and the IANA Considerations section says that.

  (1.j) Has the Document Shepherd verified that sections of the
        document that are written in a formal language, such as XML
        code, BNF rules, MIB definitions, etc., validate correctly in
        an automated checker?

There is no formal language in this document.

  (1.k) The IESG approval announcement includes a Document
        Announcement Write-Up. Please provide such a Document
        Announcement Write-Up? Recent examples can be found in the
        "Action" announcements for approved documents. The approval
        announcement contains the following sections:

    Technical Summary
        Relevant content can frequently be found in the abstract
        and/or introduction of the document. If not, this may be
        an indication that there are deficiencies in the abstract
        or introduction.

DomainKeys Identified Mail (DKIM) allows an administrative mail
domain (ADMD) to assume some responsibility for a message.  Based on
deployment experience with DKIM, this Best Current Practices document
provides guidance for the use of DKIM with scenarios that include
Mailing List Managers (MLMs).
 
    Working Group Summary
        Was there anything in WG process that is worth noting? For
        example, was there controversy about particular points or
        were there decisions where the consensus was particularly
        rough?

There is a significant sense that the only "right" thing to advise
with regard to mailing list managers is that messages forwarded by
the MLM be DKIM-signed, and that verifiers consider the MLM domain's
signature in making their assessments.  This is captured in the
document.  Notwithstanding that, there is consensus that further
advice, as given in the document, is appropriate and useful.

    Document Quality
        Are there existing implementations of the protocol? Have a
        significant number of vendors indicated their plan to
        implement the specification? Are there any reviewers that
        merit special mention as having done a thorough review,
        e.g., one that resulted in important changes or a
        conclusion that the document had no substantive issues? If
        there was a MIB Doctor, Media Type or other expert review,
        what was its course (briefly)? In the case of a Media Type
        review, on what date was the request posted?
       
This document does not define a protocol, but specifies practices
recommended for using DKIM in scenarios that include Mailing List
Managers.  The document reflects the best practices at the current
time, in the judgment of the DKIM working group.