Dave,
Dave Crocker wrote:
On 4/12/2014 12:56 PM, Miles Fidelman wrote:
- DMARC.org defines the "DMARC Base Specification" with a link to
https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ - an IETF
document
While the Internet-Draft mechanism is operated by the IETF, it is an
open mechanism and issuance through it carries no automatic status,
particularly with respect to the IETF.
The DMARC specification is not 'an IETF document'. The current plan
is to publish it as an RFC, through the 'Independent' stream, which
also is /not/ an IETF activity.
My point is that the folks behind dmarc PRESENT it in a way that
implicitly makes it look like an IETF document, and that it's on the
standards track. The reality, as you say, is different. "Plan to" is
vaporware.
- the referenced document is an informational Internet draft, that
Drafts do not have status. So the qualifier 'informational' here is
not meaningful.
As currently published, it carries the header
Intended status: Informational
In essence, DMARC is being represented as a mature, standards-track IETF
specification - with the implication that it's been widely vetted, and
is marching through the traditional experimental -> optional ->
recommended -> mandatory steps that IETF standards go through.
In reality:
- DMARC was developed by a tiny number of people, all of whom work for
very large ISPs
Well, a few of us who participated don't...
fair enough - but again, just look at http://dmarc.org/about.html - I
don't see your name, or any other small individuals or ISPs - what I do
see are
"A group of leading organizations came together in the spring of 2011"
and
"The founding contributors include:
* *Receivers:* AOL, Comcast, GMail, Hotmail, Netease, Yahoo! Mail
* *Senders:* American Greetings, Bank of America, Facebook, Fidelity,
JP Morgan Chase, LinkedIn, PayPal
* *Intermediaries & Vendors:* Agari, Cloudmark, ReturnPath, Trusted
Domain Project"
This was very much an industry-based effort.
- as far as I can tell, all input from the broader community - notably
mailing list developers and operators was roundly ignored or dismissed
(the transcript is really clear on this)
What transcript? I'm not aware of its being 'ignored or dismissed'.
Funny, that's the impression I get when I read back through the archives
for dmarc-discuss(_at_)dmarc(_dot_)org and dmarc(_at_)ietf(_dot_)org
pretty much all discussion of aligning the From: field came down to -
"you change"
- while DMARC is at least partially tested, deploying and honoring
"p=reject" messages is brand new, and has wreaked tremendous damage
across the net
It's not new at all, though of course Yahoo's use is distinctive.
Depends on your definition of "new" - and while DMARC builds on an older
base, DMARC itself was started in 2011, and I assume the first standards
and software are more recent then that.
As you say, Yahoo's use is "distinctive" - though I'd use a somewhat
stronger word.
- as far as I can tell, those who are behind DMARC are taking the
position "it's not our problem" (see discussions on
dmarc-discuss(_at_)dmarc(_dot_)org and dmarc(_at_)ietf(_dot_)org) - and there
is nary a Yahoo
representative to be seen anywhere
I've no idea what specifics you are referring to.
I've been following the discussions, on lots of lists, and I've yet to
see someone say even "I'm from Yahoo and we feel your pain" - much less
"hmm... maybe this wasn't such a good idea, we're going to back off and
implement in a slightly gentler manner - and maybe provide some support
to help patch the major list management packages" - or even "our
implementation honors Original-Authentication-Results"
nope - as far as I can tell, the folks who turned on p=reject at Yahoo
don't seem to have even told their own security or customer care folks
about what's going on - at least when this first broke, and I contacted
Yahoo's postmaster (thinking I needed to get our servers back on the
whitelist) - they just pointed me at the whitelist request form
The situation strikes me as incredibly perverse and broken - the more so
that the perpetrators are presenting this as blessed by the IETF
standards process.
I haven't seen anyone present such a claim of blessing. Please point
to the specifics.
I fear you are confusing the difference between a desire for standards
status with a claim of its having been granted.
No... I'm quoting the way that dmarc.org is presenting the "DMARC Draft
Specification" - as marching through the IETF standards track, as it is
generally understood, and then hiding in the fine print that no such
thing has happened, or is currently happening
I'm not confused. It is, and I think intentionally, being presented in
a way that is intended to confuse. And I personally think that IETF
should be calling them on it. Officially, loudly, and clearly. (The
same way that Xerox and Kleenex jump down the throats of anybody who
tries to use their names generically. )
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra