From: Dave Cridland [mailto:dave(_at_)cridland(_dot_)net]
Sent: Wednesday, April 16, 2014 2:24 PM
To: S Moonesamy
Cc: MH Michael Hammer (5304); ietf(_at_)ietf(_dot_)org Discussion
Subject: Re: Let's talk (was: DMARC: perspectives from a listadmin of large
open-source lists)
On 16 April 2014 18:26, S Moonesamy
<sm+ietf(_at_)elandsys(_dot_)com<mailto:sm+ietf(_at_)elandsys(_dot_)com>> wrote:
Speaking about career enhancing moves, common sense dictates that it is to be
assumed that the individual is the mouthpiece of the organization (I am not
inferring that you are). In my opinion reviews from individuals affiliated
with the companies listed on the web page might not fit within the objectivity
guidelines. It may be difficult to find an external reviewer if Dave Cridland
does not wish to donate his intellectual property rights.
MH: Reviews from 3rd parties have been always welcome and were specifically
asked for from a number of people unaffiliated with dmarc.org. There were
external reviews (although it would have been nice to see more) from various
people. I note that Jim Fenton just posted to the dmarc-ietf list about many of
his suggestions being incorporated.
With regard to mouthpieces, there are some people who clearly are and other
people who are not. It’s generally not too difficult to figure out the
difference between the two.
I'm actually quite happy donating IPR; I do it all the time. The XSF policy on
copyright is an assignment one, for example.
I have no idea what the IPR policy is for DMARC, it has been developed outside
the IETF process, and changes to it from the IETF are not welcome.
MH: The IPR policy for DMARC falls under the OWF – All of the participating
organizations have signed agreements for this. Anyone can contribute as an
individual but the participating organizations have specific contractual
obligations. There are more details on the OWF basis for anyone interested in
participating or contributing through the dmarc-discuss list at
http://www.dmarc.org/note_well.html. Considering that there were multiple
attempts to hand the DMARC spec over to the IETF I think the last part of your
statement is a stretch. There were constraints/considerations that I think
could have been worked out, but for now that is water under the bridge.
Speaking only for myself because I’m not any ones mouthpiece, I believe that
any contributions which improve the technical rigor of the specification are
valued and are of benefit to the community in the larger sense. If I believed
otherwise I would not be participating.
So from my perspective, it's like saying "Hey, we'd like you to spend time and
effort on reviewing this so we can tell you why we're not going to make any
changes".
MH: I respect your perspective Dave. I can only point to the experience of
others that have taken the time and effort and found their suggestions
incorporated. Because the participating organizations are bound by OWF and the
participation agreement, there is an obligation to follow certain processes. I
will say that from my perspective it was never anticipated that we would be
going this long without a handoff to IETF. I’m not looking to debate whether it
should or shouldn’t be or how it might be at this point, I’m only trying to
provide some perspective into why the DMARC process is currently the way it is.
Remember (understand?) that this (DMARC) started because various participants
had private bilateral agreements regarding policy assertions and reporting.
When I first started working on my implementation (and operational changes) I
had to ask various mailbox providers to provide feedback on our mail and
authentication failures, etc. I was accommodated to various degrees because
I/my organization was perceived as aggressively moving to combat abuse. Most of
the providers that responded had to make a special effort to provide that sort
of information and the format and what was included varied from provider to
provider. It was also easier for some because we had partnership or other
contractual agreements already in place that addressed privacy concerns. I
would get a slice of data from one provider and spend an incredible amount of
time trying to get it to mesh with a different slice of data from someone else.
Once we implemented (strong assertions) for SPF and DKIM, some of the folks
working on validation implementations used our mail streams as a reference case
as they developed their validation implementations (and remember, this was
pre-DMARC and even before DKIM was finalized). As participants in the bilateral
efforts compared notes and experiences it was natural to try and standardize
the interactions between all the various players. And once that occurred there
was a desire to make it an open standard rather than a private club because
there was a belief that it was beneficial to the wider community – thus DMARC.
There were other pre-DMARC efforts that did not produce any visible outcome.
Some of them I participated in and others I did not because I felt they were
unlikely to be successful. So at the end of the day, if your perspective is
that it isn’t worth your time and effort, I can’t think of anything I or
anyone else might say that would change your mind.
Mike