Warren Kumari wrote:
On Sat, Apr 12, 2014 at 4:30 PM, Dave Crocker <dhc(_at_)dcrocker(_dot_)net>
wrote:
On 4/12/2014 12:56 PM, Miles Fidelman wrote:
- DMARC.org defines the "DMARC Base Specification" with a link to
https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ - an IETF
document
While the Internet-Draft mechanism is operated by the IETF, it is an open
mechanism and issuance through it carries no automatic status, particularly
with respect to the IETF.
It seems that folk often miss this particular point (see the recent
drama about draft-loreto-httpbis-trusted-proxy20). Pointing at the
boilerplate, explaining the fact that anyone (with an Internet
connection and an XML editor) can submit an ID, etc doesn't seem to
work. I considered pointing at, well, anything by Terrell, but instead
decided to publish a draft :-P
http://tools.ietf.org/html/draft-wkumari-not-a-draft-00
Well yes, but that's the "fine print."
Who ever reads a 20-page shrink-wrap license - and he jury is still out
as to when those apply or can be ignored. And then there's a "warrant
of merchantability" that vendors can be held to despite all kinds of
disclaimers buried in a license.
When the organization that coordinated and promulgated DMARC:
- describes their efforts as "their common goal was to develop an
operational specification to be introduced to the IETF for standardization
- refers to the only defining document as a "Base Specification" and
links to a document, on the IETF's webserver, with an IETF document number
It's kind of easy for the uninitiated to draw the conclusion that it's a
standards-track IETF standard.
Then, when Yahoo defends the havoc they've wrought with statements like
(they) "designed and built something called DMARC
<http://www.dmarc.org/>, or Domain-based Message Authentication,
Reporting and Conformance. Today, 80% of US email user accounts and over
2B accounts globally can be protected by the DMARC standard." - with a
pointer to dmarc.org - and from there to an IETF webserver and document
-- it sure is easy for the general community to draw the conclusion
"Yahoo implemented a vetted IETF standard - and it broke all the mailing
lists I'm on." And it sure is easy for someone to draw the conclusion
that the fault lies with the broken standard, not with Yahoo.
You have to look hard to figure out who really broke what. And (IMHO)
one would not be wrong to draw the conclusion that IETF dropped the ball
in its role as the Internet standards body - if only in it's relative
silence (a disclaimer in the fine print does not constitute exercising
one's professional or institutional responsibilities).
ISO, for example, has processes for complaining about mis-use of their
standards, and about misrepresentation of being certified against a
standard. Perhaps it's time for IETF to institute similar policies and
proceedures - beyond:
"it's not actually a standard - we just provided space for the document"
"it's a voluntary standard, we're not responsible if it's not
implemented properly, or not deployed properly"
We all claim that we don't want governments to run the Internet - but
when our voluntary, cooperative mechanisms drop the ball - that's the
end result. (Along with lots of litigation.)
Just one man's opinion, of course.
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra