On Saturday, April 12, 2014 15:24:48 Franck Martin wrote: > Printed on recycled paper! > > > On Apr 12, 2014, at 12:25, "Scott Kitterman" <skl...@kitterman.com> wrote: > >> On Saturday, April 12, 2014 18:30:39 Franck Martin wrote: > >> Printed on recycled paper! > >> > >>> On Apr 12, 2014, at 3:59, "SM" <s...@resistor.net> wrote: > >>> > >>> Hi Franck, > >>> > >>> At 13:35 10-04-2014, Franck Martin wrote: > >>>> Some random thoughts.... > >>> > >>> [snip] > >>> > >>>> -IETF recent focus is on pervasive monitoring, increasing security, > >>>> prevent identity theft,... DMARC is a tool that helps, it is aligned > >>>> with IETF recent goals. It is deployed, widely used, proven beneficial, > >>>> has still some problems, lets' fix them.> > >>> > >>> How does DMARC help to in respect to pervasive monitoring, increasing > >>> security, prevent identity theft? > >> > >> http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/whi > >> te-> papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf > >> > >> The recent target problem started with an email, say Krebs... > >> > >> A bit of research on security and email will give you a better picture on > >> why legitimate emails need to be better recognized. > > > > I don't think anyone is disputing that. The problem is that legitimate > > emails are being treated as illegitimate. > > If you are not disputing that, then you know you need a driving license > because it increase security on the road, and if you don't have one then > you can feel some pain... > > We use to keep our doors open, we used to drive without license, we used to > not need TLS, we used to not need anti-spam software,... > > Machine learning is not as capable as human learning, algorithms are more > restrictive... > > Feel free to propose a better solution.. Quickly.. > > History in reboot, it all looks like SPF and DKIM IETF wars again....
No. This seems different. Having been involved in these discussions, writing and reviewing specs, writing code, and helping educate people about email authentication since 2004, I don't recall anything like this. The closes was the discussion about ADSP, but there was a clear understanding that ADSP was only appropriate for certain types of domains. The same is true of DMARC p=reject. It wasn't a problem until Yahoo stepped outside the generally understood scope of what p=reject was safe for with no notice and clearly absolutely no care for impact on third parties. There was also a fair amount of heat around the impact of SPF on transparent forwarding, but there was never the same kind of "screw you - your problem" attitude. If you look at the text of the soon to be published RFC 4408bis there is a ton (too much some people thought) of information about what can be done as a sender, mediator, or receiver to mitigate the problem. I think DMARC is a good idea (that's why I have DMARC records published), but you have to be careful how you use it. If they were going to make a change like this, despite the predictable and predicted negative impacts, it would have been a lot better to give notice so that administrators could be better prepared. As the confused discussion around what mailing lists should do now makes quite clear, there is no consensus on design or operational guidance to mitigate this issue. "mailman has a new feature" covers about 1% of the problem space. When I look at the feedback I get on my DMARC reports about 90% of the mail I send fails DMARC despite good SPF and DKIM deployments due to mailing lists, bug trackers, web site sharing, etc. For me and many others this is not about a trivial piece of the mail stream. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc