Re: [dmarc-ietf] are mailing lists worth saving?

[Dave Crocker]

On 12/10/2020 6:21 PM, Rich Kulawiec wrote:

but here's a version of it:


Just a thought, but the topic of mailing lists is both on-topic and 
currently being discussed, in the emailcore working group.


d/

--
Dave Crocker
dcroc...@gmail.com
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crock...@redcross.org

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Rich Kulawiec]

Yes, they are.  I've been editing a document that lays out some of
the strong arguments in their favor.  It's still a draft (and may
always be because I keep revising it), but here's a version of it:

--

Mailing lists, which were sometimes called "reflectors" in their early
days, are one of the older pieces of Internet technology.  Despite that,
they're still heavily used -- including by the very people who built
and still run the Internet, people who could use anything they wanted.

That's not an accident.  It's because mailing lists have enormous
technical advantages over the alternatives.  Here are some of those:

1. Mailing lists require no special software: anyone with a sensible
mail client can participate.  Thus they allow you to use *your* software
with the user interface of *your* choosing rather than being compelled
to learn 687 different web forums with 687 different user interfaces,
all of which range from "merely bad" to "hideously bad".

2. Mailing lists are simple: learn a few basic rules of netiquette and a
couple of Internet-wide conventions, and one's good to go.  Web forums
are complicated because all of them are different.  In other words,
participating in 20 different mailing lists is just about as easy as
participating in one; but participating in 20 different web forums
is onerous.

3. They impose minimal security risk.

4. They impose minimal privacy risk.

Points 3 and 4 stand in stark contrast to the security and privacy risks
imposed on users of web forums and "social" media, especially the latter.

5. Mailing lists are bandwidth-friendly -- an increasing concern for
people on mobile devices and thus on expensive data plans.  Web forums
are bandwidth-hungry.

6. Mailing lists interoperate.  I can easily forward a message from one
list to another one.  Or to a person.  I can send a message to multiple
lists.  I can forward a message from a person to a list.  And so on.
Try doing this with web forum software A on host B with destinations
web forum software X and Y on hosts X1 and Y1.  Good luck with that.

7. They're asynchronous: you don't have to interact in real time.
You can download messages when connected to the Internet, then read them
and compose responses when offline.

8. As a result of 7, They work reasonably well even in the presence
of multiple outages and severe congestion.  Messages may be delayed,
but once everything's up again, they'll go through.  Web-based forums
simply don't work.

9. They're push, not pull, so new content just shows up.  Web forums
require that you go fishing for it.

10. They scale beautifully.

11. (When properly run) they're relatively free of abuse vectors.
Mailing lists are highly resistant to abuse.  Web forums, because of
their complexity, are highly vulnerable to software security issues
as well as spam/phishing and other attacks.

12. They handle threading well.  And provided users take a few seconds
to edit properly, they handle quoting well.

13. They're portable: lists can be rehosted (different domain, different
host) rather easily.

14. They can be freely interconverted -- that is, you can move a list
hosted by A using software B on operating system C to host X using
software Y on operating system Z.

15. They can be written to media and read from it.  This is a very
non-trivial task with web forums.

16. The computing resources require to support them are minimal -- CPU,
memory, disk, bandwidth, etc.

17. Mailing lists can be uni- or bidirectionally gatewayed to Usenet.
(The main Python language mailing list is an example of this.)  This can
be highly useful.

18. They're easily archivable in a format that is simple and likely to
be readable long into the future.  Mail archives from 10, 20, even 30
or more years ago are still completely usable.  And they take up very
little space.

[ Numerous tools exist for handling Unix "mbox" format: for
example, "grepmail" is a highly useful basic search tool.
Most search engines include parsers for email, and the task
of ingesting mail archives into search engines is very well
understood. ]

19. You can archive them locally...

20. ...which means you can search them locally with the software of
*your* choice.  Including when you're offline.  And provided you make
backups, you'll always have an archive -- even if the original goes away.
Web forums don't facilitate this.

[ Those of us who've been around for a while have seen a lot of
web-based discussions vanish forever because a host crashed or a
domain expired or a company went under or a company was acquired
or someone made a mistake or there was a security breach or a
government confiscated it. ]

There's more, but I think this easily suffices to make a slamdunk case.

Frank Zappa once said that you can't be a real country unless you have
a beer and an airline.  I don't think you can take an organization or
a project seriously unless it has a 

Re: [dmarc-ietf] are mailing lists worth saving?

[Michael Thomas]

So where is the proper place to discuss an ongoing IETF experiment? 
Seems sort of like catch-22.


Mike

On 12/10/20 3:52 PM, Seth Blank wrote:

Michael, Dave, this discussion is off topic.

Please see the Chairs' note here: 
https://mailarchive.ietf.org/arch/msg/dmarc/HhfoBzu_RlM4aiMbiLc4BaHjjmc/ 



There will be a time to discuss indirect mail flow (and if we even 
care about mailing lists) after the core bis tickets are addressed.


Thank you.

Seth, as Chair

On Thu, Dec 10, 2020 at 3:45 PM Dave Crocker > wrote:


On 12/10/2020 3:34 PM, Michael Thomas wrote:
> I'm just making the observation


"Basically just declare" is not a linguistic form for 'just making an
observation'.  It's a proposal.

d/

-- 
Dave Crocker

dcroc...@gmail.com 
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crock...@redcross.org 

___
dmarc mailing list
dmarc@ietf.org 
https://www.ietf.org/mailman/listinfo/dmarc




--
*Seth Blank*| VP, Standards and New Technologies
*e:*s...@valimail.com 
*p:*415.273.8818


This email and all data transmitted with it contains confidential 
and/or proprietary information intended solely for the use of 
individual(s) authorized to receive it. If you are not an intended and 
authorized recipient you are hereby notified of any use, disclosure, 
copying or distribution of the information included in this 
transmission is prohibited and may be unlawful. Please immediately 
notify the sender by replying to this email and then delete it from 
your system.


___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Seth Blank]

Doug, this thread is off topic. Please disengage.

Seth, as Chair

On Thu, Dec 10, 2020 at 17:58 Douglas Foster <
dougfoster.emailstanda...@gmail.com> wrote:

> What you miss is that mailing lists are not the whole scope.  All
> forwarding creates trust problems and all modifications by intermediaries
> will cause trust problems.
>
>   Modification is done by many spam filters, and the prevalence of
> modification seems to be increasing.   If any of that traffic is
> auto-forwarded, it also has the mailing list problem.
>
> Reverse transformation may help with the modification problem but it
> cannot help with the larger problems of forwarder trust.  And there are
> many users of forwarding.
>
> A forwarder needs to do more than gain trust that it did nothing
> unacceptable, it also must help the recipient conclude that the originator
> did nothing unacceptable.   We have lacked a strategy for doing this.
>
> Right now, forwarding under SPF and DMARC causes important information to
> be discarded.So they make the forwarding trust problem worse.
> Unverifiable Received entries make the problem even harder.
>
> ARC is a technology which should be able to address the forwarder trust
> problem, whether modification occurs or not.   Whether it currently conveys
> all of the needed information to satisfy recipients must remain to be
> seen.  I do not believe that it does at present, but I believe that it
> could and should.
>
>
> On Thu, Dec 10, 2020, 6:23 PM Michael Thomas  wrote:
>
>>
>> On 12/10/20 2:58 PM, Dave Crocker wrote:
>>
>> On 12/9/2020 3:05 PM, Michael Thomas wrote:
>>
>> we know that amount of traffic going through mailing lists is tiny --
>> like a couple percent.
>>
>>
>> Keeping in mind that mailing lists have been a legitimate
>> Arpanet/Internet email activity since the start of network email and that
>> it is DMARC that created operational problems, rather than mailing list
>> activity creating problems,  the onus for declaring a nearly 50 year
>> activity no longer supported should be pretty compelling.  It should not
>> rely on anecdotes or the views of an isolated few. And it certainly should
>> not justify the change with some broad, cavalier claims about security.
>>
>> For starters:
>>
>>- Please document attacks and other misbehaviors that have been
>>attributed to mailing list operation
>>- Please provide objective, validated documentation for you assertion
>>that the traffic through mailing lists is tiny.
>>- Please include similar substantiation for the percentage claim
>>- Please explain how this type of long-standing legitimate activity
>>can reasonably be otherwise conducted; a generic reference to the web is
>>not sufficient; what is needed is a point-for-point evaluation of mailing
>>list group and technical functionality and an comparison to replacement
>>choices.
>>
>>
>> This assumes that the IETF has any say whatsoever in this matter. It
>> doesn't. DMARC and ADSP before it gives the world the ability to say "i
>> don't care about mailing lists". Apparently Yahoo is one of them. That
>> horse has left the barn. Many domains would rather the security
>> improvements with p=reject. And it's not mailing lists that are the problem
>> per se, it is that the security posture that facilitating them leaves
>> organizations vulnerable to phishing attacks. Many organizations are giving
>> that a nope, and there is nothing we can do about that.
>>
>> There are many things that had their day and died because they couldn't
>> adapt, were redundant, or their time was just over. Usenet is a great
>> example. After 16 years of trying to deal with the mailing list problem,
>> we're right back where we started. Murray's hacks for recovering the
>> signature are not different in kind to my heuristics and hacks I did 15
>> years ago. And ARC seems to boil down to requiring the previously unsolved
>> problem of "trusting" the mailing list.
>>
>> So no, I won't be doing any of those things because they are completely
>> beside the point. Feel free trying your hand solving it.
>>
>> Mike
>> ___
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
-- 

*Seth Blank* | VP, Standards and New Technologies
*e:* s...@valimail.com
*p:* 415.273.8818


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

Re: [dmarc-ietf] are mailing lists worth saving?

[Douglas Foster]

What you miss is that mailing lists are not the whole scope.  All
forwarding creates trust problems and all modifications by intermediaries
will cause trust problems.

  Modification is done by many spam filters, and the prevalence of
modification seems to be increasing.   If any of that traffic is
auto-forwarded, it also has the mailing list problem.

Reverse transformation may help with the modification problem but it cannot
help with the larger problems of forwarder trust.  And there are many users
of forwarding.

A forwarder needs to do more than gain trust that it did nothing
unacceptable, it also must help the recipient conclude that the originator
did nothing unacceptable.   We have lacked a strategy for doing this.

Right now, forwarding under SPF and DMARC causes important information to
be discarded.So they make the forwarding trust problem worse.
Unverifiable Received entries make the problem even harder.

ARC is a technology which should be able to address the forwarder trust
problem, whether modification occurs or not.   Whether it currently conveys
all of the needed information to satisfy recipients must remain to be
seen.  I do not believe that it does at present, but I believe that it
could and should.


On Thu, Dec 10, 2020, 6:23 PM Michael Thomas  wrote:

>
> On 12/10/20 2:58 PM, Dave Crocker wrote:
>
> On 12/9/2020 3:05 PM, Michael Thomas wrote:
>
> we know that amount of traffic going through mailing lists is tiny -- like
> a couple percent.
>
>
> Keeping in mind that mailing lists have been a legitimate Arpanet/Internet
> email activity since the start of network email and that it is DMARC that
> created operational problems, rather than mailing list activity creating
> problems,  the onus for declaring a nearly 50 year activity no longer
> supported should be pretty compelling.  It should not rely on anecdotes or
> the views of an isolated few. And it certainly should not justify the
> change with some broad, cavalier claims about security.
>
> For starters:
>
>- Please document attacks and other misbehaviors that have been
>attributed to mailing list operation
>- Please provide objective, validated documentation for you assertion
>that the traffic through mailing lists is tiny.
>- Please include similar substantiation for the percentage claim
>- Please explain how this type of long-standing legitimate activity
>can reasonably be otherwise conducted; a generic reference to the web is
>not sufficient; what is needed is a point-for-point evaluation of mailing
>list group and technical functionality and an comparison to replacement
>choices.
>
>
> This assumes that the IETF has any say whatsoever in this matter. It
> doesn't. DMARC and ADSP before it gives the world the ability to say "i
> don't care about mailing lists". Apparently Yahoo is one of them. That
> horse has left the barn. Many domains would rather the security
> improvements with p=reject. And it's not mailing lists that are the problem
> per se, it is that the security posture that facilitating them leaves
> organizations vulnerable to phishing attacks. Many organizations are giving
> that a nope, and there is nothing we can do about that.
>
> There are many things that had their day and died because they couldn't
> adapt, were redundant, or their time was just over. Usenet is a great
> example. After 16 years of trying to deal with the mailing list problem,
> we're right back where we started. Murray's hacks for recovering the
> signature are not different in kind to my heuristics and hacks I did 15
> years ago. And ARC seems to boil down to requiring the previously unsolved
> problem of "trusting" the mailing list.
>
> So no, I won't be doing any of those things because they are completely
> beside the point. Feel free trying your hand solving it.
>
> Mike
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Dave Crocker]

On 12/10/2020 3:52 PM, Seth Blank wrote:

Michael, Dave, this discussion is off topic.


oops. ack. sorry. d/

--
Dave Crocker
dcroc...@gmail.com
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crock...@redcross.org

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Michael Thomas]

On 12/10/20 3:45 PM, Dave Crocker wrote:

On 12/10/2020 3:34 PM, Michael Thomas wrote:
I'm just making the observation 



"Basically just declare" is not a linguistic form for 'just making an 
observation'.  It's a proposal.



A proposal that we face reality? I suppose in an odd sense of the word. 
Unless you have a different means of avoiding that fate after 16 years 
with a technical solution that has eluded everybody else, then nature 
will just take its course with more and more organizations setting up 
p=reject making it harder and harder to use mailing lists.


As far as this working group goes, it seems the charter already takes 
this into account. ARC provides the fig leaf and DMARC is just getting 
cleaned up as the charter said to.


Mike

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Seth Blank]

Michael, Dave, this discussion is off topic.

Please see the Chairs' note here:
https://mailarchive.ietf.org/arch/msg/dmarc/HhfoBzu_RlM4aiMbiLc4BaHjjmc/

There will be a time to discuss indirect mail flow (and if we even care
about mailing lists) after the core bis tickets are addressed.

Thank you.

Seth, as Chair

On Thu, Dec 10, 2020 at 3:45 PM Dave Crocker  wrote:

> On 12/10/2020 3:34 PM, Michael Thomas wrote:
> > I'm just making the observation
>
>
> "Basically just declare" is not a linguistic form for 'just making an
> observation'.  It's a proposal.
>
> d/
>
> --
> Dave Crocker
> dcroc...@gmail.com
> 408.329.0791
>
> Volunteer, Silicon Valley Chapter
> American Red Cross
> dave.crock...@redcross.org
>
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>


-- 

*Seth Blank* | VP, Standards and New Technologies
*e:* s...@valimail.com
*p:* 415.273.8818


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Dave Crocker]

On 12/10/2020 3:34 PM, Michael Thomas wrote:
I'm just making the observation 



"Basically just declare" is not a linguistic form for 'just making an 
observation'.  It's a proposal.


d/

--
Dave Crocker
dcroc...@gmail.com
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crock...@redcross.org

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Michael Thomas]

On 12/10/20 3:25 PM, Dave Crocker wrote:

On 12/10/2020 3:23 PM, Michael Thomas wrote:
So no, I won't be doing any of those things because they are 
completely beside the point. Feel free trying your hand solving it.


Yet you were the one making the proposal and making claims as 
foundational to it.


I don't need to prove anything here. I'm just making the observation 
that after 15 years we still don't know how to solve the mailing list 
problem so I'm going to assume that we never will. We don't even know 
how to declare victory. Every time I've asked that it's met with "good 
question".  Ditto the mailing list trust problem.


Mike

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Michael Thomas]

On 12/10/20 3:23 PM, Dave Crocker wrote:

On 12/10/2020 3:17 PM, John Levine wrote:

People at very large mail systems tell me that while the amount of
traffic from discussion lists is a tiny part of the overall mail flow,
it is mail that their recipients really want and complain if they
don't get.


The relates to my point about getting community consensus...

There is no consensus to be had. IETF has no say in this matter. Reddit 
is a terrible Usenet 2.0, but that's what happened when Usenet couldn't 
keep up with the times.


Mike

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Dave Crocker]

On 12/10/2020 3:23 PM, Michael Thomas wrote:
So no, I won't be doing any of those things because they are 
completely beside the point. Feel free trying your hand solving it.


Yet you were the one making the proposal and making claims as 
foundational to it.


d/

--
Dave Crocker
dcroc...@gmail.com
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crock...@redcross.org

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Dave Crocker]

On 12/10/2020 3:17 PM, John Levine wrote:

People at very large mail systems tell me that while the amount of
traffic from discussion lists is a tiny part of the overall mail flow,
it is mail that their recipients really want and complain if they
don't get.


The relates to my point about getting community consensus...

d/

--
Dave Crocker
dcroc...@gmail.com
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crock...@redcross.org

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Michael Thomas]

On 12/10/20 2:58 PM, Dave Crocker wrote:

On 12/9/2020 3:05 PM, Michael Thomas wrote:
we know that amount of traffic going through mailing lists is tiny -- 
like a couple percent.



Keeping in mind that mailing lists have been a legitimate 
Arpanet/Internet email activity since the start of network email and 
that it is DMARC that created operational problems, rather than 
mailing list activity creating problems,  the onus for declaring a 
nearly 50 year activity no longer supported should be pretty 
compelling.  It should not rely on anecdotes or the views of an 
isolated few. And it certainly should not justify the change with some 
broad, cavalier claims about security.


For starters:

  * Please document attacks and other misbehaviors that have been
attributed to mailing list operation
  * Please provide objective, validated documentation for you
assertion that the traffic through mailing lists is tiny.
  * Please include similar substantiation for the percentage claim
  * Please explain how this type of long-standing legitimate activity
can reasonably be otherwise conducted; a generic reference to the
web is not sufficient; what is needed is a point-for-point
evaluation of mailing list group and technical functionality and
an comparison to replacement choices.


This assumes that the IETF has any say whatsoever in this matter. It 
doesn't. DMARC and ADSP before it gives the world the ability to say "i 
don't care about mailing lists". Apparently Yahoo is one of them. That 
horse has left the barn. Many domains would rather the security 
improvements with p=reject. And it's not mailing lists that are the 
problem per se, it is that the security posture that facilitating them 
leaves organizations vulnerable to phishing attacks. Many organizations 
are giving that a nope, and there is nothing we can do about that.


There are many things that had their day and died because they couldn't 
adapt, were redundant, or their time was just over. Usenet is a great 
example. After 16 years of trying to deal with the mailing list problem, 
we're right back where we started. Murray's hacks for recovering the 
signature are not different in kind to my heuristics and hacks I did 15 
years ago. And ARC seems to boil down to requiring the previously 
unsolved problem of "trusting" the mailing list.


So no, I won't be doing any of those things because they are completely 
beside the point. Feel free trying your hand solving it.


Mike

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[John Levine]

In article  you write:
>-=-=-=-=-=-
>
>On 12/9/2020 3:05 PM, Michael Thomas wrote:
>> we know that amount of traffic going through mailing lists is tiny -- 
>> like a couple percent.

People at very large mail systems tell me that while the amount of
traffic from discussion lists is a tiny part of the overall mail flow,
it is mail that their recipients really want and complain if they
don't get. That is unlike commercial bulk mail, which recipients don't
mind but wouldn't miss.

The mail providers didn't invent ARC because they were bored and had
too much spare time. It was because it addresses a real problem they
have.

R's,
John

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] are mailing lists worth saving?

[Dave Crocker]

On 12/9/2020 3:05 PM, Michael Thomas wrote:
we know that amount of traffic going through mailing lists is tiny -- 
like a couple percent.



Keeping in mind that mailing lists have been a legitimate 
Arpanet/Internet email activity since the start of network email and 
that it is DMARC that created operational problems, rather than mailing 
list activity creating problems,  the onus for declaring a nearly 50 
year activity no longer supported should be pretty compelling.  It 
should not rely on anecdotes or the views of an isolated few. And it 
certainly should not justify the change with some broad, cavalier claims 
about security.


For starters:

 * Please document attacks and other misbehaviors that have been
   attributed to mailing list operation
 * Please provide objective, validated documentation for you assertion
   that the traffic through mailing lists is tiny.
 * Please include similar substantiation for the percentage claim
 * Please explain how this type of long-standing legitimate activity
   can reasonably be otherwise conducted; a generic reference to the
   web is not sufficient; what is needed is a point-for-point
   evaluation of mailing list group and technical functionality and an
   comparison to replacement choices.

Once these documentation details have been lined up and have obtained 
meaningful community support, it might be worth pursuing the 
de-legitimization of Internet mailing lists.


d/

--
Dave Crocker
dcroc...@gmail.com
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crock...@redcross.org

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc