SM wrote:
Hi Miles,
At 05:29 12-04-2014, Miles Fidelman wrote:
It does strike me that DMARC, which is currently an internet-draft,
not even an RFC, is causing incredible disruption by its adoption, by
a few very large players. Methinks this indicates a serious problem,
and raises some questions about what measures might be taken when a
big player breaks the Internet by not playing nice. It sure seems
that IETF should play a role in this.
I do not see what IETF participants could do as the internet-draft is
not being reviewed by the IETF. The big player is breaking email sent
to mailing lists. It is not breaking the internet. I would not
expect any company to play nice as it is a business after all.
Well, let's see:
- DMARC is an ad-hoc group that assembled with a "common goal was to
develop an operational specification to be introduced to the IETF for
standardization"
(http://dmarc.org/about.html)
- DMARC.org defines the "DMARC Base Specification" with a link to
https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ - an IETF
document
- they published an information Internet draft, that expires in October
of this year, that starts with "This memo presents a proposal for a
scalable mechanism by which a mail sending organization can
express,....." https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/
- by implication, they are representing DMARC as a standards-track IETF
specification
Publication of a "proposal" as an information Internet draft, is barely
the first step toward an operational specification standardized by the
IETF - yet DEMARC proponents are representing it as an IETF standard (or
at least as going through the process).
Beyond that, let me note that the draft includes this line: "The
enclosed proposal is not intended to introduce mechanisms that provide
elevated delivery privilege of authenticated email." -- which, of course
is exactly what has been done by Yahoo by publishing "p=reject" in its
DMARC policy, and by those who've chosen to honor it.
So, it seems to me that it is entirely legitimate for IETF to officially
be on the record that:
1. DMARC is NOT even close to an IETF standard
2. It has not been subject to any of the technical and operational
vetting associated with the progression of a specification through the
IETF standardization process
3. The means by which Yahoo has deployed DMARC, and the choice of
several other large ISPs to honor the p=reject policy, is not in keeping
with the practice of measured testing and incremental deployment of IETF
standards, as they progress from proposal, to experimental, to optional,
to recommended, to mandatory
For reasons of technical and professional integrity, IETF should be
distancing itself from this debacle, very loudly and very clearly. If
nothing else, IETF should be defending its legitimacy as the Internet's
standards body - in the same way that Xerox and Kleenex defend their
trademarks.
Beyond that - perhaps a strong position by IETF might have an impact on
Yahoo's decision making.
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
