-----Original Message-----
From: S Moonesamy [mailto:sm+ietf(_at_)elandsys(_dot_)com]
Sent: Tuesday, April 15, 2014 6:36 PM
To: MH Michael Hammer (5304); ietf(_at_)ietf(_dot_)org
Subject: Let's talk (was: DMARC: perspectives from a listadmin of large open-
source lists)
Hi Mike,
At 13:30 15-04-2014, MH Michael Hammer (5304) wrote:
My experience with regard to working groups is that it is
(technically) easy to participate and does not necessarily involve any
particular costs. I don't go to IETF meetings but have participated in
WG sessions during IETF meetings through jabber. Not the optimal
solution but it works. I think that the notion of 8000lb gorillas
somewhat misrepresents the situation. Some of the active participants
in the working groups I've been involved with continue their
involvement even when they change employers. With that in mind, I
believe that in many cases it truly is the individual and not the
individual as mouthpiece for the organization. I also believe that the
8000lb gorillas have many of the same interests as smaller
organizations and individuals even though there are times where
interests may diverge. It's also clear to me that there is not
uniformity of interests across constituencies within large
organizations. It's complex. So let's talk.
It is, as you mentioned, complex. I'll be one-sided in this comment. There
is
a cost to participation on the mailing lists and to attend meetings. There
is a
higher burden for a small company or an individual. People from small
companies sometimes get ignored or it is like the minority view (see Dave
Cridland's message at http://www.ietf.org/mail-
archive/web/ietf/current/msg87389.html ).
I think this conflates two different issues:
1) Cost to participation. While I may work for a larger organization, much if
not most of my participation is in addition to my other work obligations. I
know of other folks in a similar situation. I participated before I worked at a
large organization, I participated when I had my own small business and I may
choose to participate in the future if my circumstances change. There are other
people whose occupation consists solely of standards work. I don't have any
meaningful answer to your comment. Quite frankly, I'm asking myself why I
should personally continue to engage with the IETF process at all. It's not as
if my employer is demanding it. Do I really want to be engaging with IETF after
a 16 hour day working on other stuff? It must be masochism.
2) Getting ignored or minority view. I don't believe it is simply a function of
company size - at least for the WGs I've participated in. I'd assert that at
least in the email/email auth WGs it's more a function of long term
participants, many of whom have calcified positions (across the spectrum). I
can think of at least one person from a relatively large company who gets
ignored a fair bit, so size is not necessarily a factor. I've been in the
minority view on various issues in the WGs I've participated in. That's life -
I chose Betamax. To a certain extent it's also a function of who is wrangling
the WG and how they manage the WG. I don't really think about whether a person
is with a large company, a small company or an individual - I'm more interested
in the quality and practicality of their ideas. I'm more of a security and
operations guy and that colors my perspective.
I'm not sure if you are looking for a response to Dave Cridland's message in
the context of DMARC specifically. As I noted when I first posted to this
group, I don't speak on behalf of DMARC and my comments are on a personal
basis. When DMARC came along, as a sender I only had to publish a p=reject
policy. We (my employer) had done the heavy lifting in terms of changing our
mailing practices back in 2007 before there was a dmarc.org or a spec. I had
some concerns about a wide open WG but wasn't necessarily against it. My
concerns were more along the line of how much of a grind it might be on a
personal basis (after my experiences with other WGs). I do recognize that
others made a significant investment in implementing running code to make
things work. I think a lot of people underestimate what was involved and overly
discount concerns about radical modifications to the spec. When I did my
original effort in 2007 it was a five month project involving quite a few
people to cha!
nge how our websites handled mail to accommodate strong authentication for SPF
and DKIM. I'll also point out that the interoperability event for DKIM didn't
take place until 2008 which meant I was somewhat going out on a limb. I'm sure
that for others to do their DMARC implementations on the mailbox provider side
several years later it was a larger effort than what I went through. My
personal belief is that nobody was looking to get an IETF rubber stamp. Perhaps
the concerns might have been communicated differently and perhaps there might
have been a little less skepticism as to intent.
So on to the mail list issue. On one level I want to say not my issue. I don't
publish p=reject for any domains with users that send to mail lists so as I've
said, my ox isn't getting gored. There were plenty of discussions in the DKIM
working group about 1st party signatures vs 3rd party signatures and trust and
reputation and who should do what and who wouldn't do what. At the end of the
day the can was kicked down the road. So here we are. I don't have any answers
for this group. I've already stated in a previous post how I think it will play
out. I'm leaning towards just walking away and spending cycles on something as
that is more productive from my perspective. The juice just isn't worth the
squeeze.
I can understand that an individual is not the mouthpiece of the organization
if that individual sometimes speaks up to say that management is saying X
but he or she does not think that it is a great idea. You have tried to be
positive by discussing about this publicly, politely and without resorting to
marketing language. Let's see who else would like to talk.
I don't think you are likely to see someone speaking up in that particular way.
"My boss has bad ideas" posted to a public forum is not a career enhancing move
even if phrased politely. Those sorts of issues would likely get resolved
internally or the person would likely choose to move to another roost if it is
a significant issue. That's just common sense. At least for me, in the WGs I've
participated in, I've had a lot of latitude because the issues are technical
and it is more me keeping management apprised of what is happening and what I'm
doing than me getting directives. I can't speak for others or other
organizations. I don't have anything to sell or market so I have no reason to
use marketing language. My goal is to protect end users from maliciousness that
tries to leverage our domains and brands - things like SPF, DKIM and DMARC help
do that in conjunction with other efforts such as takedowns, blocking,
prosecutions, etc. I also get involved in other anti-abuse eff!
orts that have nothing to do with my employer - because I believe it is the
right thing to do. Standards are just one piece of the puzzle.
It's been a long day and I've rambled on more than enough.
Mike