On 7/20/2020 1:44 AM, Alessandro Vesely wrote:
On Sun 19/Jul/2020 20:33:46 +0200 Dave Crocker wrote:
The essential point that needs to be made is that standards like this MUST NOT be cast in terms of what end users will do.  In practical terms, this work has nothing to do with end users. Really.  Nothing.
[...]
(*) I've seen one posting here or somewhere else that noted that letting bad mail through can lead to end-users being deceived. I'll claim that while true, it is not relevant, since the behavior happens after DMARC, and the like, are relevant.  That is, DMARC, etc., do not inform the end-user behavior.

Aren't those two paragraphs self-contradictory?

No.

A specification defines a field of activity.  (A sandbox.) Things outside that field are not relevant to the specification, even though they might be highly relevant from a larger perspective. There is a constant desire to have a specification that involves security-related decision-making include the (human) recipient be an actor within the scope of the specification. The first paragraph, quoted above, is a reminder that we need to resist that desire.

The second paragraph, quoted above, is a reminder about a specific example of this, namely about the DMARC specification. It acknowledges that, in general, recipients can be deceived, for the specific From: field protection that DMARC provides, the recipient is not a relevant actor.


If DMARC were dependable, maybe users would learn to trust From:. Or maybe not.  Avoiding end user considerations cuts both ways. Yet, we can trust that if we do a well-defined, clear job, then the whole system will work better.

It is expensive and highly risky to create an international standard that relies on such a tenuous hope about future behavior, especially in the face of consistent empirical evidence that it won't happen.

d/


--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to