IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

Dotzero <dotzero@gmail.com> Mon, 17 August 2020 13:05 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4303F3A1528 for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 06:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29RU6Oo-Z7Fd for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 06:04:52 -0700 (PDT)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A89DA3A152C for <dmarc@ietf.org>; Mon, 17 Aug 2020 06:04:52 -0700 (PDT)
Received: by mail-qk1-x732.google.com with SMTP id 2so14791758qkf.10 for <dmarc@ietf.org>; Mon, 17 Aug 2020 06:04:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YXTZOVY8N2V66ZFYvX1qDaccKyOMp1kyRrV+XYcuuo8=; b=LP/5/pgYoEyonfSnoKEZLqQo9feCC7lvw5AwTnKIEkhJhGPuznJ/+MkbDLDWMDWMEh Y1spmlQPxTZzSgdrxOhDUMyJ6QVflEN8g+3e94F+f3q8LDBMb6d0ZP/718DNFuDZaHZL ZlxSFCivQoOYBdS4pgwQZ4ryVS8zuCryVQjdGnzsDBT13dKJd5b/HXGRocgd1DELox1h YbmbwuktWX5W7/SoiLXJmKFuj2cUlf8z0LjMEmWjZVCOsjVUevYbNK5bpgBaV2nOMqU/ 5lmvtvqKMOOUTiyhy/6OjyetCy2ahEYqORey38nR/vHPJcwTtUbtFZ+RzQnoYAxvNR3S wLtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YXTZOVY8N2V66ZFYvX1qDaccKyOMp1kyRrV+XYcuuo8=; b=eLCQuHuEtUqPPQ2sXkyXytdTq8eMONNNx9/jn7YlhXX3D368JfA8Hh2RUNJttb16zR RnCjwn/4xhpFugWTHGi3gurF42Y+zgrLGeRakZXousJIrKnK9IzZSPfIOr92V7sO9qv4 hHV7iF3+rp+KdyfRSsjJLKqXqFIZmJK032K3juv1plnPmqU8nw+MrcJUatEiM4GGFGHa zlIWSzDO7a6EsYywM6xrZim/S3GO2PmDC3OMiaaDrl75UZqmbHziD0bwPnsuE5EaWSPk sAgCvVkGrs4CkhMzRtN6jNW4oVa+l1ctFbp/RwyEC14xuK3SAB+BCoaZ9AICt+9C2Cnp gnLw==
X-Gm-Message-State: AOAM532rJV1v3LnNf+svzb4ggOHTpixu1g6Bkq6/1L2TiXCa0OnNcwf9 wm+or1rbysJmjVj/WU0pn9H7qJPxRPDrNg1oS+HBZjew
X-Google-Smtp-Source: ABdhPJxLjuub/Qpg3QKq9202X0ekliLrhGHm7sVvhjAAvO+/FbZv2GxoivptZNw5Q/2aT7gdvVvdNiOHrmtZlv5Ibmg=
X-Received: by 2002:ae9:e902:: with SMTP id x2mr12775606qkf.66.1597669491656; Mon, 17 Aug 2020 06:04:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL=g@mail.gmail.com> <20200814164237.313071E971DB@ary.local> <CAJ4XoYeqj_5mpZu1PZP4rNfrWRyC5gC-2dfK7oX9xQHiR24QeA@mail.gmail.com> <085c6a5f-5451-ae8c-4873-133673ba1754@tana.it> <CAL0qLwaVUi9QtV4zcCwncuy4N3YPwsGZPzFfd1q19io79UG2VQ@mail.gmail.com> <c1844590-4b12-9763-21c5-6ac5b730321b@tana.it> <6358f3da-806b-f4eb-b9a0-8ee8ce4121d7@dcrocker.net> <4e549ca6-6047-6ff2-325c-fe8d7247e157@tana.it> <c972e0af-b589-1780-47b3-8cb2a2024ec2@dcrocker.net> <13a0ed72-2c5a-8ba6-84ab-b857e29403f1@tana.it> <1703e878-e20a-8ae2-09e8-25470c0cf5f8@dcrocker.net> <e89a5551-f8cc-2d8e-4bfb-65fef943e9fe@tana.it>
In-Reply-To: <e89a5551-f8cc-2d8e-4bfb-65fef943e9fe@tana.it>
From: Dotzero <dotzero@gmail.com>
Date: Mon, 17 Aug 2020 09:04:40 -0400
Message-ID: <CAJ4XoYdgiz=U7iRDcfyQ5PSU_Wrd4=L_zXzzWku4gh7q-mWVWQ@mail.gmail.com>
To: Alessandro Vesely <vesely@tana.it>
Cc: Dave CROCKER <dcrocker@bbiw.net>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000084cc2e05ad126ab7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/7Cnw27jmGcPx6OYGX3wfzlQjR50>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 13:05:00 -0000

On Mon, Aug 17, 2020 at 5:58 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Sun 16/Aug/2020 20:16:17 +0200 Dave Crocker wrote:
> >
> >>>>> If I put my gmail address into the from field, there is no
> >>>>> pretending, no matter what platform I am using.
> >>>>
> >>>>
> >>>> That conflicts with the coarse-grained authentication strategy,
> >>>> established at the FTC Email Authentication Summit in November
> >>>> 2004, as Doug^W Michael recalled >>>
> >>> 1. I was making a semantic point, not a technical or technical
> >>> policy one.
> >>
> >> They have to match at some point.
> >
> > it would be nice, wouldn't it?
> >
> > but that's separate from the factual statement I made.
>
>
> Separate but related.
>
>
> >>> 2. There was nothing 'established' at that event.  There were
> >>> interesting discussions, but that's all.
> >>
> >>
> >> I wasn't there.  Can't it be considered the historic event that
> >> marked domain-level authentication as the promising strategy to
> >> counter email abuse?
> >
> > Reference to that event as if it 'established' anything is misguided,
> > at best.  The meetings were helpful, but not definitive.  And the
> > efforts at domain level authentication were wholly independent of
> > these events.
>
>
> Would it be still correct to mention that summit as a conspicuous
> event that testifies the emergence of domain-level authentication
> around the early 2000s?
>
>
As someone who was there, I would be reticent to make such a statement.

>
> > As already noted on this list, the events served as a plea from the
> > government and, therefore, a signal that the government was concerned.
>
>
> A noteworthy historical detail.
>

I think myself and many others considered it more of an ultimatum to the
private sector than a plea.

>
>
> >>>> Your gmail address needs to be authenticated by gmail.
> >>>
> >>> Good grief, no.  There is no system rule to that effect.  DMARC
> >>> created that, but no policy before it was in place, never mind
> >>> accepted.
> >>
> >>
> >> DMARC took that strategy to the extremes.  A number of users and
> >> operators seem to have accepted it.  Why cannot we accept it too?
> >
> > That DMARC does something and that some people use it is quite
> > different from claiming that there was some grand change in the
> > semantics and operational policy of email.  Why can't THAT be accepted?
>

I think this is one of those areas that where you sit dictates where you
stand on the issue. When we talk about the evolution of the Internet we
could also go back to the days of AUP and talk about changes. Just saying.


>
> There's been a combination of events, from IETF's reluctant
> laissez-faire to Yahoo/AOL adoption, which brought up the illusion
> that email authentication can provide a global means to counter
> spoofing.  To believe that such illusion will come true makes for a
> strong motivation.
>

We really do need to stop using the word "spoofing" when we talk about
intermediaries such as MLMs.

>
> Couldn't we meet somewhere halfway?  I can see that you, John, Herr
> Hammer, and other relevant participants don't accept that domain-level
> authentication is semantically mandatory.  What d'you reckon about the
> possibility that such grand semantic change can be made official
> within the next 10~20 years?  I think that by just spelling the
> technical means /as if/ such change is going to happen, we can design
> a consistent authentication protocol.
>

Could people please stop referring to me as Herr Hammer. I am neither
German nor a Herr.


> It seems to me most expenses have been paid already, for example this
> mailing list is applying From: rewriting.  We don't need to propose
> further restrictions.  To the opposite, there are means on the
> table[*] that can enable us to sketch a time horizon where From:
> rewriting can cease.
>
> 16 years have passed since the FTC event, which is 1/3 of those 45.
> What I see looks much like a very mild shift.  Lazy operators have
> plenty of time before the semantic change is established, at some
> point in the medium-term future, if ever.
>

Notwithstanding my position on the issues being discussed, I think it is
unfair and inappropriate to refer to those opposed to changing semantics as
"lazy operators". Just because you want a change and they are against such
change does not make them lazy.

Michael Hammer

v2.23.0 | Report a Bug | By Email