DomainKeys Identified Mail (DKIM) Service Overview
draft-ietf-dkim-overview-12

[Ballot comment]
I want to discuss this on the call:

> Mail that is
> not signed by DKIM is handled in the same way as it was before DKIM
> was defined.

Isn't this a contradiction to what the signing practices model does?
That is, if the signing practices claim that all mail is signed
by DKIM, and this particular message has no DKIM signature, aren't
we throwing the message away?

Also:

>    service as its key server technology.  [RFC4871] It permits

Odd use of the reference. Which sentence does the reference belong
to?

[Ballot comment]
In section 1.4.1 you have "(per Allman)". Presume this is a reference to RFC 4871 and so changning to "[RFC4871]" would be nice. but if it is a reference to something else, perhaps you could iclude it.

[Ballot comment]
>    service as its key server technology.  [RFC4871] It permits

Odd use of the reference. Which sentence does the reference belong
to?

[Ballot comment]
In Figure 1, the flow from the "Assessments" box is non-deterministic; it appears the next step could be "Check Signing Practices" or "Message Filtering Engine".  The supporting text in Section 5.5 did not clarify the situation.

I would suggest labeling the diagram or adding explanatory text in 5.5.

[Ballot comment]
1.  Introduction

[...]

  DKIM allows an organization to take responsibility for a message, in
  a way that can be verified by a recipient.  The organization can be a
  direct handler of the message, such as the author's, the originating
  sending site's or an intermediary's along the transit path.  However
  it can also be and indirect handler, such as an independent service
  that is providing assistance to a direct handler.  DKIM defines a
  domain-level digital signature authentication framework for email
  through the use of public-key cryptography and using the domain name
  service as its key server technology.  [RFC4871] It permits

I think the reference is meant to be before the dot.

  verification of the signer of a message, as well as the integrity of
  its contents.  DKIM will also provide a mechanism that permits
  potential email signers to publish information about their email
  signing practices; this will permit email receivers to make
  additional assessments of unsigned messages.  DKIM's authentication
  of email identity can assist in the global control of "spam" and
  "phishing".

1.2.  Prior Work

[...]

  There have been four previous IETF Internet Mail signature standards.
  Their goals have differed from those of DKIM.  The first two are only
  of historical interest.

Actually, I think the 2nd and the 3rd are of historical interest.
I.e. OpenPGP is still in use.

  o  Pretty Good Privacy (PGP) was developed by Phil Zimmermann and
      first released in 1991.  A later version was standardized as
      OpenPGP.  [RFC2440] [RFC3156] [RFC4880]

  o  Privacy Enhanced Mail (PEM) was first published in 1987.
      [RFC0989]

  o  PEM eventually transformed into MIME Object Security Services
      (MOSS) in 1995.  [RFC1848] [RFC1991]

RFC 1991 is "PGP Message Exchange Formats". Is it the correct reference here?

  o  RSA Security independently developed Secure MIME (S/MIME) to
      transport a PKCS #7 data object.  It was standardized as [RFC3851]


2.2.  Enabling Trust Assessments

[...]

  In order to formulate reputation information, an accurate, stable
  identifier is needed.  Otherwise, the information might not pertain
  to the identified organization's own actions.  When using an IP
  Address, accuracy is based on the belief that the underlying Internet
  infrastructure supplies an accurate address.  When using domain based
  reputation data, some other form of verification is needed, since it
  is not supplied independently by the infrastructure

Missing dot.

3.1.1.  Use Domain-level granularity for assurance

[...]

  Contrast this with OpenPGP and S/MIME, which associate verification
  with individual authors, using their using full email addresses.

I think the second "using" should be deleted from this sentence.


3.1.4.  Distinguish the core authentication mechanism from its
        derivative uses

  An authenticated identity can be subject to a variety of assessment
  policies, either ad hoc or standardized.  DKIM separates basic
  authentication from assessment.  The only semantics inherent to a
  DKIM signature is that the signer is asserting some kind of
  responsibility for the message.  Any interpretation of this kind of
  responsibility is the job of services building on DKIM, but the
  details are beyond the scope of that core.  One such mechanism might
  assert a relationship between the SDID and the author, as specified
  in the From: header field's domain identity.[RFC5322] Another might

I think "[RFC5322]" should be before the dot.

  specify how to treat an unsigned message with that From: field
  domain.

PROT Write-Up

    (1.a) Who is the Document Shepherd for this document? Has the
          Document Shepherd personally reviewed this version of the
          document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?
---------------------------------------------------------------------
The document shepherd is Barry Leiba.  Yes, I have reviewed it, and
it is ready.
---------------------------------------------------------------------

    (1.b) Has the document had adequate review both from key WG members
          and from key non-WG members? Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?
---------------------------------------------------------------------
It has had good review by the working group.  I don't anticipate issues from
outside the working group, and I'm not concerned with the level of review.
---------------------------------------------------------------------

    (1.c) Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization or XML?
---------------------------------------------------------------------
No.
---------------------------------------------------------------------

    (1.d) Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of? For example, perhaps he
          or she is uncomfortable with certain parts of the document, or
          has concerns whether there really is a need for it. In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here. Has an IPR disclosure related to this document
          been filed? If so, please include a reference to the
          disclosure and summarize the WG discussion and conclusion on
          this issue.
---------------------------------------------------------------------
No concerns, and no IPR issues specifically with this document.  There
is an IPR disclosure on the base DKIM spec (RFC 4871) that readers of
this document should be aware of.
See https://datatracker.ietf.org/ipr/920/
---------------------------------------------------------------------

    (1.e) How solid is the WG consensus behind this document? Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?
---------------------------------------------------------------------
There is clear WG consensus in the working group as a whole.
---------------------------------------------------------------------

    (1.f) Has anyone threatened an appeal or otherwise indicated extreme
          discontent? If so, please summarise the areas of conflict in
          separate email messages to the Responsible Area Director. (It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)
---------------------------------------------------------------------
No.
---------------------------------------------------------------------

    (1.g) Has the Document Shepherd personally verified that the
          document satisfies all ID nits? (See
          http://www.ietf.org/ID-Checklist.html and
          http://tools.ietf.org/tools/idnits/). Boilerplate checks are
          not enough; this check needs to be thorough. Has the document
          met all formal review criteria it needs to, such as the MIB
          Doctor, media type and URI type reviews?
---------------------------------------------------------------------

There are three I-D nits remaining, as well as a handful of editorial
nits, all of which can be fixed in AUTH48.  I'll send the editorial
nits to the authors separately.  I-D nits:

1. There's an unused informative reference to
  draft-kucherawy-sender-auth-header-15
There's been an update to that draft, but the reference should probably
come out  anyway, or else it should be referred to somewhere.

2. The document references RFC 2821, which has now been obsoleted by RFC 5321.

3. The document references RFC 2822, which has now been obsoleted by RFC 5322.
---------------------------------------------------------------------

    (1.h) Has the document split its references into normative and
          informative? Are there normative references to documents that
          are not ready for advancement or are otherwise in an unclear
          state? If such normative references exist, what is the
          strategy for their completion? Are there normative references
          that are downward references, as described in [RFC3967]? If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].
---------------------------------------------------------------------
All references are informative, and are so labelled.
---------------------------------------------------------------------

    (1.i) Has the Document Shepherd verified that the document IANA
          consideration section exists and is consistent with the body
          of the document? If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries? Are the IANA registries clearly identified? If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations? Does it suggest a
          reasonable name for the new registry? See [RFC5226]. If the
          document describes an Expert Review process has Shepherd
          conferred with the Responsible Area Director so that the IESG
          can appoint the needed Expert during the IESG Evaluation?
---------------------------------------------------------------------
There are no IANA actions for this document, and the IANA Considerations
section so states.
---------------------------------------------------------------------

    (1.j) Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?
---------------------------------------------------------------------
There are no formal specification languages used.
---------------------------------------------------------------------

    (1.k) The IESG approval announcement includes a Document
          Announcement Write-Up. Please provide such a Document
          Announcement Write-Up? Recent examples can be found in the
          "Action" announcements for approved documents. The approval
          announcement contains the following sections:

          Technical Summary
            Relevant content can frequently be found in the abstract
            and/or introduction of the document. If not, this may be
            an indication that there are deficiencies in the abstract
            or introduction.
---------------------------------------------------------------------
This document provides a description of the architecture and
functionality for DomainKeys Identified Mail (DKIM).  It is intended
for those who are adopting, developing, or deploying DKIM.  It will
also be helpful for those who are considering extending DKIM, either
into other areas of use or to support additional features.  This
overview does not provide information on threats to DKIM or email, or
details on the protocol specifics, which can be found in [RFC4686] and
[RFC4871], respectively.  The document assumes a background in basic
email and network security technology and services.
---------------------------------------------------------------------

          Working Group Summary
            Was there anything in WG process that is worth noting? For
            example, was there controversy about particular points or
            were there decisions where the consensus was particularly
            rough?
---------------------------------------------------------------------
Nothing needing noting.  This document provides implementation and
deployment advice.  The controversies appeared in the development of
the protocols that it describes, not in this document.
---------------------------------------------------------------------

          Document Quality
            Are there existing implementations of the protocol? Have a
            significant number of vendors indicated their plan to
            implement the specification? Are there any reviewers that
            merit special mention as having done a thorough review,
            e.g., one that resulted in important changes or a
            conclusion that the document had no substantive issues? If
            there was a MIB Doctor, Media Type or other expert review,
            what was its course (briefly)? In the case of a Media Type
            review, on what date was the request posted?
---------------------------------------------------------------------
None of these specific questions apply.  The document is of good quality.
---------------------------------------------------------------------