ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: "why I quit writing internet standards"

2014-04-14 22:41:28
from [Miles Fidelman] [Permanent Link] 
Scott Kitterman wrote:

On Monday, April 14, 2014 10:14:19 Murray S. Kucherawy wrote:

On Mon, Apr 14, 2014 at 9:02 AM, Miles Fidelman

<mfidelman(_at_)meetinghouse(_dot_)net>wrote:

Then again, the current DMARC debacle presents a cautionary tale of more
ad hoc approaches.

DMARC's proponents tried to come to the IETF to form a working group so
that it could undergo the rigors of standards development, and thus not be
as "ad hoc" as you're describing.  It was not accepted, on the basis that,
in essence, the work was already done so there's nothing for the IETF to
contribute.

(If I've mischaracterized this, I'm happy to be corrected.)

If that's true, it's my impression it's true because the DMARC proponents
insisted any possible working group charter preclude meaningful changes to the
base specification because the work was already done.

Personally, I was kind of OK with the current plan, although I thought it far
from ideal because I thought there was a clear understanding among the DMARC
proponents about what kinds of domains p=reject was appropriate for (not ones
with real users that commonly use use cases for which p=reject is
problematic).

Now that that clearly isn't the case, I think the plan needs to be revisited.
It it was clearly understood about when p=reject is/is not appropriate - and someone (who's corporate name begins with Y) misapplied it - is this not akin to the propagation of corrupted routing data, and meriting a comparable response from all concerned? If done intentionally, with knowledge of the potential consequences - does this not tread into the grounds of a DDoS attack, and merit comparable response? And if the perpetrator does not act to roll back their action - does that not merit a strong response?
I believe that there are laws against "knowingly caus[ing] the transmission of a program, information code, or command, and as a result of such conduct, intentionally causes damages without authorization to a protected computer” (That's from the Computer Fraud and Abuse Act.)
And.. just for the heck of it.. I reported this to CERT. The impact on the systems I run has been far higher than, say, the Heartbeat vulnerability. Kind of interested to see what kind of response I get. 

Miles Fidelman


--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DMARC: perspectives from a listadmin of large open-source lists, Scott Kitterman
Next by Date:  Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists, Scott Kitterman
Previous by Thread:  Re: "why I quit writing internet standards", Scott Kitterman
Next by Thread:  Re: "why I quit writing internet standards", Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]