On 7/20/2020 1:44 AM, Alessandro Vesely wrote:
On Sun 19/Jul/2020 20:33:46 +0200 Dave Crocker wrote:
The essential point that needs to be made is that standards like this
MUST NOT be cast in terms of what end users will do. In practical
terms, this work has nothing to do with end users. Really. Nothing.
[...]
(*) I've seen one posting here or somewhere else that noted that
letting bad mail through can lead to end-users being deceived. I'll
claim that while true, it is not relevant, since the behavior happens
after DMARC, and the like, are relevant. That is, DMARC, etc., do
not inform the end-user behavior.
Aren't those two paragraphs self-contradictory?
No.
A specification defines a field of activity. (A sandbox.) Things
outside that field are not relevant to the specification, even though
they might be highly relevant from a larger perspective. There is a
constant desire to have a specification that involves security-related
decision-making include the (human) recipient be an actor within the
scope of the specification. The first paragraph, quoted above, is a
reminder that we need to resist that desire.
The second paragraph, quoted above, is a reminder about a specific
example of this, namely about the DMARC specification. It acknowledges
that, in general, recipients can be deceived, for the specific From:
field protection that DMARC provides, the recipient is not a relevant actor.
If DMARC were dependable, maybe users would learn to trust From:. Or
maybe not. Avoiding end user considerations cuts both ways. Yet, we
can trust that if we do a well-defined, clear job, then the whole
system will work better.
It is expensive and highly risky to create an international standard
that relies on such a tenuous hope about future behavior, especially in
the face of consistent empirical evidence that it won't happen.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc