> On Apr 22, 2023, at 12:58 PM, John Levine <jo...@taugh.com> wrote:
>
> It appears that Jesse Thompson <z...@fastmail.com> said:
>> -=-=-=-=-=-
>>
>> A DNS-based lookup, perhaps in the style of ATSP as this thread is
>> describing, to query for not just domain-level authorization, but also
>> potentially user-level authorization, I think is
>> compelling because it can:
>
> Once again, no. This is not mission creep, it is mission gallop.
The current mission is chaos!! I sometimes wonder If the intent is to keep it
chaotic to show non-consensus in really the strategy. Jesse was referring to
user policies. ATPS is about domain policies. Lets not confuse this.
> Nobody uses ATSP, nobody is going to use ATSP, this is just yet more
> distraction and wheel spinning that is keeping us from finishing.
-1
First, not true, there is running code using ATPS, and you know it. Second,
there are APIs that support it. It may be disabled in the open source but it's
there. Second, when an editor does not champion his own work, it will be much
harder to sell. There is absolute no reason why a receiver can not to an ATPS
check if its already doing an DMARC with false positive results due to not
doing an ATPS.
What has kept us from finishing this 17+ year project was the editor of ADSP
and now editor of DMARCbis preventing 3rd party authorization concepts. He
removed it from SSP when it was hijacked with ADSP. To his credit, its on the
record, he didn’t want people using ADSP and was successful to get it abandoned
as a proposed standard and made it historic.
But DMARC snuck in via M3 as an Informational status and since he can’t stop
domains from using DMARC, he took over the editing of DMARCbis and now wants a
MUST NOT p=reject without explaining how to best avoid its problems for
existing systems.
Yet, his answer to the DMARC problem, as a single implementation with IETF
list, is to strip the security of a domain using a Rewrite and does not want to
document it as a DMARCBis solution to the problem he refuses to help fix, nor
document the subscription/submission restrictions method, something he could
have done rather than introduce an unfortunate mail engineering taboo to they
industry - a new security loophole with caused by this rewrite:
Destroyed Mail Authorship Authentication Replays
I almost believe he wants DMARCBis to fail as a Proposed Standard, therefore
refusing to also change it back to informational status as suggested by Barry
Leibre since it would give DMARCbis a better chance of surviving IETF
engineering scrutiny and passing last call.
As a proposed standard, there will be friction when ADSP was abandoned for
reasons DMARCBis is not resolving other than saying don’t use restrictive
domains. That’s what slowing this down.
—
HLS_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
