Dick Franks wrote:
On 13 April 2014 00:35, <ned+ietf(_at_)mauve(_dot_)mrochek(_dot_)com
<mailto:ned+ietf(_at_)mauve(_dot_)mrochek(_dot_)com>> wrote:
[snip]
The real question we should be discussing is what options the IETF
has to try
and address this.
IETF has already adequately addressed this issue by its insistence on
inclusion of this statement in the document preamble:
It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
An implementation based on I-D reference material is therefore no better than "work
in progress".
The blame for this debacle lies squarely with Yahoo, and its inadequate
engineering change management.
That's all in the fine print. The folks behind DMARC are representing
DMARC as both IETF standards-track - both implicitly (by pointing to a
"specification" published as an IETF document) and explicitly (multiple
statements along the lines of "intended as... " and "intend to submit),
and as mature. Yahoo is using that to justify it's actions ("Today, 80%
of US email user accounts and over 2B accounts globally can be protected
by the DMARC standard.")
By no sense of the imagination is DMARC a "standard" (or even much of a
specification) - IETF or otherwise - much less a mature one.
To my mind, IETF's inaction, and silence is both morally wrong, and
carries a longer term risk:
- as the Internet standards body, IETF and its participant have a
professional and moral responsibility to speak for "what is an Internet
standard," as well as what constitutes responsible implementation,
deployment, and operation of Internet protocols -- not just leave it in
the fine print
- IETF, to a large degree, dropped the ball on a "standard," that for
some period of time was worked on under the aegis of an IETF WG
- allowing someone to represent something as an IETF standard carries a
risk to IETF's standing, effectiveness, and credibility as the
Internet's standards body (ISO tends to get very upset if someone claims
to be ISO9000 certified, but isn't; Xerox sends lawyers after
competitors who refer to their copiers as "xerox machines")
From an operational perspective, concerned with the stability and
reliability of the Internet infrastructure, this kind of thing really
scares me - particularly in the larger context of current discussions
over changes to Internet governance. This strikes me as a very clear
cut example where our voluntary, cooperative model for doing things is
failing very badly -- in large part because none of our institutions of
self-governance are stepping up to the plate. ("We wrote a disclaimer
in the fine print" is not stepping up to the plate.)
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra