Emphatically hatless: On Fri, Jun 26, 2020 at 4:42 AM Douglas E. Foster < fost...@bayviewphysicians.com> wrote:
> Two weeks ago, John Levine reminded us that DMARC v1 was already deployed > and this effort was to perfect the wording. Suddenly, we have a small but > powerful group insisting that we discard DMARC v1 and turn it into DMARC > v2. > "Perfect the wording" rather trivializes what I believe the charter charges this working group with doing. If you read it, I suggest you'll see that this is a heavier lift than that. This discussion has reviewed the success of DMARC v1, how it has limited a > whole category of attacks and has helped with law enforcement takedowns. > But now John Levine wants me to prove that From alignment is important to > "most of us", a term I used to include myself in the group that has > benefited from DMARC v1. Apparently historical results are not relevant. > This seems to me like a myopic synopsis of the discussion so far. Remember that while DMARC has lots of people thinking it's a huge step forward in fighting fraud, there is also an audience that thinks it's been a serious disruption and has caused more collateral damage than it is worth. It has, in particular, disrupted the work of the IETF itself. It is therefore reasonable, in my view, to review the premises on which the claimed success was achieved. (That's not to say claims of its success are flatly wrong, but rather that, as with any other scientific endeavor, reviewing our assumptions should always be on the table.) The supporters of DMARC v2 can certainly navigate the IETF process, but I > cannot imagine that Google and Paypal, who created DMARC v1, will jump on > your bandwagon. Nor can I imagine the US Government, which is requiring > DMARC v1 rollout now, will jump on the v2 bandwagon based on the evidence > presented in this discussion so far. > DMARC v1 was not the product of any standards process. One could argue that the damage it has caused is a result of the absence of such rigor. I don't know why, then, you would discard v2 so easily when it will by definition be developed with what is probably a higher standard before it's published. I, similarly, cannot imagine the likes of Google and Paypal dismissing out of hand a potentially improved version that actually has more broad consensus and reduces damage (but, of course, I'm in no position to speak for them). I'd like us to take a run at actually doing the work before calling conclusions like this. I have pointed out that the mailing list problem can be largely solved with > user-specific delivery options in the MLM, but that has so far been > ignored. However, to support any transition to DMARC v2, MLMs will need > user-specific delivery options to distinguish those recipients that support > the new design from those who do not. So MLM readiness is not a small > issue. > I suggest that specification of user delivery options don't belong in a protocol document, except perhaps in an informative advisory appendix. The working group could choose to pursue an applicability statement alongside the protocol document that defines DMARC v2, if that's a necessity. It's up to the chairs to determine whether consensus has been established to do so; it's up to you, if you are in favor, to do the work to develop that consensus. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc