ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: placing a dollar value on IETF IP.

2008-10-29 14:27:56
from [Doug Otis] [Permanent Link] 

On Oct 28, 2008, at 10:12 AM, John C Klensin wrote:
One could, of course, make many of the same observations about replacing SMTP and/or today's Internet mail formats with some newly- invented and improved system, replacing HTTP with something more elegantly designed based on what we know about computer systems today, etc., as well as failure to harmonize residential supply voltages around the world. Whether the problem is one of network effects or the related one of the costs of replacing/ converting a large installed base, the consequences are the same: mere incremental technical superiority is almost never sufficient to motivate an incompatible change.
Agreed. However, the issue is often not about compatibility, or comparative adoption costs. Take an extension to DKIM as an example.
The proposed ADSP extension imposes an incompatible change to support an Authentication-Results header which only identifies the From header field as having been authenticated. An identical looking result can be obtained when DKIM-ADSP is replaced with Sender-ID.
In the case of ADSP, a compliant DKIM signature MUST be on behalf of the From header field, even when a different identity had been authenticated when signing. In the case of Sender-ID, no email- address is authenticated, and yet the appearance of an email-address being authenticated is given. Neither DKIM-ADSP or Sender-ID offer authenticated the email-addresses. It is harder to SELL a service that adds a header that says "invalidation-results". Rather than identifying an email-address as being INVALID with a moderate level of assurance, this header indicates PASS under the guise of authentication, but without there being either safe or reasonable levels of assurance to make the assertion.
This clearly is not about compatibility or relative adoption costs. These two approaches both represent incompatible changes where better alternatives do not impose additional cost. Sender-ID's macro expansion of DNS records can cause hundreds of subsequent DNS transactions generated by recipients of spam, along with SMTP's inability comply with Sender-ID's path registration methods. ADSP's subversion of DKIM's "on-behalf-of" will no longer reflect what was authenticated. Both Sender-ID and ADSP have the potential for imposing significant future costs, incompatibilities, and damages.
The standardization process is being influenced by large providers wanting to both blame shift and to overstate the offering of their services which puts recipients at significant risk. Whenever an email-address owner finds themselves blocked, it unfairly becomes their fault for trusting a provider that never promised to authenticate PRA or From email-addresses. IETF's role should be to ensure dangerously misleading schemes are not endorsed, even when desired by those working for influential parties within the IETF. A judgement of merit should not be limited to technical excellence, but should still include a consideration of the greater good. Perhaps something similar to the Hippocratic oath to abstain from whatever is deleterious and mischievous. Be the IETF and not the IVTF. : ) 

-Doug
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Gen-ART LC review of draft-ietf-isis-hmac-sha-05, Ben Campbell
Next by Date:  Re: [Sip] Last Call: draft-ietf-sip-dtls-srtp-framework (Framework for Establishing an SRTP Security Context using DTLS) to Proposed Standard, Thierry Moreau
Previous by Thread:  RE: placing a dollar value on IETF IP., Hallam-Baker, Phillip
Next by Thread:  RE: placing a dollar value on IETF IP., michael.dillon
Indexes:  [Date] [Thread] [Top] [All Lists]