On Sun, Aug 16, 2020 at 10:19 AM Hector Santos <hsantos= 40isdg....@dmarc.ietf.org> wrote:
> I believe it would be prudent for the AD to look at the reasons why > the IETF has failed with this DKIM Project. If a cog is not for ADSP > but for DMARC with the same problems, then what is that to say about > this process? It has not been a fair process to say the least. A lot > of wasted time, money and energy. It has been a long 15+ yrs and has > become very tiring. :-( > > Despite the 3rd party authorization brush back, the concept has never > gone away. It says a lot and it will never go away under the current > DKIM POLICY model using the required hash bound Author Domain anchor > as the forcing function for authorization. > Since this bit is directed at the AD, I finally have to put that hat on. I don't agree that DKIM has been a failure. I believe it succeeds at exactly what it purports to provide, but not more. The industry in general, and the IETF in particular, have chosen not to pursue widespread use of any kind of standards-based third party domain signature policy or reputation system. That's the obvious consensus, and in my opinion the reasons for that fact are sound. Both ATPS (individual submission, experimental, February 2012) and the REPUTE series of documents (working group, standards track, late 2013) saw nearly zero adoption after publication even when free reference implementations were provided. They differ from basic DKIM in that they require non-trivial upkeep, and that appears to be a step function inhibiting adoption among operators. As to your assertion that this process has not been fair, I'm curious as to why you say that. There's nothing I can think of here other than DMARC that didn't go through a consensus process. That means concerns about all of these topics were heard and discussed. People's opinions that were in the rough still got aired; I don't recall that anyone was silenced just for dissenting. As I said before, I'm disappointed that things like ATPS and REPUTE never got a serious attempt, but that's not because they were oppressed or sabotaged. That's just the reality we're in. If you can point to a discussion thread on the old DKIM list or any list since then where procedure wasn't followed, that might be interesting. I still agree that if we could figure out a way to do this third party thing, it would go a long way toward resolving this whole problem space. But in many years of trying, we haven't found a way to do it that scales, is resistant to attack, is easy to implement and reason about, and is likely to achieve any real momentum. That appears to be a taller order than one might think at first blush, fair or not. ARC is the only thing that has achieved consensus and appears to have a chance at non-trivial levels of adoption. I think the IETF did fail here in certain ways -- for example, by not being more helpful to the industry many years ago when the second derivative of spam and phishing was particularly acute -- but that rant is for another day. -MSK, ART AD
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
