[apps-discuss] DMARC and the conflict of extensions vs. deployment

[Paul Hoffman <paul.hoffman@vpnc.org>]

=====
The initial charter for this working group does not include revising the base specification, but rather producing incremental extensions to it. However, if resolving any of the issues listed in the areas of focus below does require changes to the base specification, or if the specification needs to be revised to correct technical errors deemed essential for proper use, the group will recharter accordingly.
=====

To me, this says "the WG should produce incremental extensions where needed". However:

=====
At the time of chartering, DMARC has already achieved an estimated coverage of 60% of the Internet's mailboxes. Consequently, any extensions or revisions that create software or operations incompatibilities with this significant installed base need to be considered carefully. The strong preference is for the working group to preserve existing software and procedures. For changes likely to affect the installed base, the working group will actively seek to include developers and operators of DMARC-based mechanisms outside the core set of working group participants in its consensus discussions.
=====

To me, that says that the WG cannot produce an incremental extension because existing software and procedures would have to be updated.  That statement seems to include even the listed milestones. For example, I cannot see how to make DMARC work with mailing lists without changing software and/or procedures. Similarly, even if there is agreement on transitive trust agreements will change procedures significantly.

If the people proposing the charter want a WG that extends the base spec, the latter paragraph needs to be removed. If the people proposing the charter want a WG that does not change the software and operations currently deployed, the first paragraph needs to be remove, and make it clear that the WG's only deliverables are the implementation and deployment guide and practices guides from later in the charter.

Having both paragraphs in the charter leaves the WG participants not knowing what it is they can do, and yet that knowing is exactly why the IETF has charters.



Assuming that the people proposing the charter really want the limitations from the second quote above (which seems likely), I propose that the WG not be formed. Forming a WG with limitations that are imposed from outside the IETF will cause the waste of hundreds or thousands of IETF participant hours. The phrase "needs to be considered carefully" is a call to endless debates about what "carefully" means and who ultimately gets to be the careful considerers who count.

The main proponents of the private DMARC spec are already active IETF participants. They can recruit the rest of us to join the private DMARC work effort without wasting a lot of IETF time on helping a private effort. They can send mail to AppsArea when they want people to join their private discussions on extensions to DMARC. They can (and should!) update people at the face-to-face IETF meetings. They can (and should!) publishing the results of their private efforts as RFCs through the ISE; that's a great use of the ISE track of RFCs. But trying to have an IETF WG-that-isn't-really-a-WG seems wasteful of valuable resources.

Note: if I'm wrong above and the people proposing the charter ditch the restrictions of the second quote, the charter still needs more work, namely adding a sentence or two to each deliverable about what is expected of those extensions.

--Paul Hoffman