Face DDX face to face meeting, IETF, Minneapolis
2008-11-16, 1:30 - 5:30 PM
...
- RL "Bob" will ask US government contacts about interest in DKIM.
- Everyone will post "user stories" to wiki and mailing list.
- RL "Bob" and Internet2 folks will organize biweekly conference calls.
Bob introduced the activity by observing that it is attempt to bring together many different communities:
...
Minnesota is deploying a service to support indication of "official" communication from campus authorities. The officialness indicator is in a message header and is interpreted by the campus webmail system which highlights the message. This could be implemented more securely and generally via DKIM. More generally MUAs could re-enable image loading (eg logos) for messages from trusted senders. A logo or other image could be put in or linked from the DNS record to be displayed with verified messages (similarly to logos in X.509 certs). Would large providers like Google/Yahoo/Live buy into a scheme like this? Maybe. Could The could also be inter-institutional uses.
...
Graylisting is used by some sites to delay mail delivery from suspect sources (includes other methods too?). Signed mail from trusted sources could bypass graylisting, so improve delivery times for trusted partners.
How much variation is there in the methods different sites use in email filtering? If there is a lot of variation, does that make using common approaches to introducing DKIM more difficult?
Faculty sometimes report delivery delays or failures for messages to/from government funding agencies, causing unhappiness around grant submission deadlines etc. Improving delivery success for these trusted partners would be a real motivator. We should check with USG folks about status and interest.
...
Patrik Wallström of iis.se presented regarding DKIM and DNSSEC. DNSSEC . is fully supported in .se but still sees little significant use. Various end-user applications might be motivators for DNSSEC, but deployment issues such as broken DNS behavior in SOHO NATs/routers is a big problem. DKIM is appealing because it is a server-based technology. DNSSEC removes a substantial security hole in typical DKIM key-fetching. DKIM-Milter 2.8.0 beta out now - http://opensource.is.se/
.
Is it feasible to include DNSSEC support in the DDX activity? Maybe, but DNSSEC in .edu is not imminent. .gov is being signed, so that might be part of working with USG sites.
In conclusion there was consensus that DKIM technology is worth pursuing by the institutions represented and that a community-based trial has promise. Work needs to be done to describe the benefits, understand the tools available and the deployment decisions to be made.Wiki Markup