Re: [dmarc-ietf] Time for a change
"Douglas E. Foster" <fosterd@bayviewphysicians.com> Sun, 16 August 2020 19:09 UTC
Return-Path: <btv1==49793bf6e8e==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EE2C3A0A4F for <dmarc@ietfa.amsl.com>; Sun, 16 Aug 2020 12:09:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5DTHeHDzbBni for <dmarc@ietfa.amsl.com>; Sun, 16 Aug 2020 12:09:10 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 422C83A0A4D for <dmarc@ietf.org>; Sun, 16 Aug 2020 12:09:10 -0700 (PDT)
X-ASG-Debug-ID: 1597604945-11fa3136ba13a10001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id YIvM11m6ylyRAZtt (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Sun, 16 Aug 2020 15:09:05 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=uNrMacoGfsRMDjB2uiknvIM3tmZSzdyKxJZro6Gx3Qc=; b=W3q8IzMcCBt1rwvKoFYgWicnQqtlDkj33twajLjZuzydWewrmOQuJTN8oGNU/8MtQ W414dVkCcAHrEAmzixQv4fOI1a8M4UrMddmzHTfCqvCLa+4Ee1JOBR9acJPy0jFPI IKQ12TnJT0ZgjdN1QKlyDXKGAXDvg+KvPtz3gsHJs=
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org
Date: Sun, 16 Aug 2020 19:08:58 +0000
X-ASG-Orig-Subj: Re: [dmarc-ietf] Time for a change
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <366e50ed8bda41cb879fa245e2d7c27a@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="9cd6bcd0e0704e8294750d388c49e74b"
In-Reply-To: <5F396A77.3000109@isdg.net>
References: <20200810172411.A13681E7CD8B@ary.local> <7e9326fc-ae27-d4bd-9f2b-9896da8320f1@dcrocker.net> <CAL0qLwacyBbJscEM_a4-nvugO0HBaSAdPqUPkfYYOOb++cOjQQ@mail.gmail.com> <5F396A77.3000109@isdg.net>
X-Exim-Id: 366e50ed8bda41cb879fa245e2d7c27a
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1597604945
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 13854
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.83943 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9czWqFzwT969vZC-McnT5hzsR8M>
Subject: Re: [dmarc-ietf] Time for a change
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Aug 2020 19:09:13 -0000
The reality is that IETF has mostly provided followership, not leadership, on matters of security. This forum is replicating history. As has been mentioned in the historical review, SPF, DKIM, and DMARC were independently successful projects, as was SSL. IETF provided after-the-fact blessing. It is time to follow the same model. If there is an opportunity to accelerate DMARC adoption, I think it is in the area of third-party authentication, presumably based on ATSP. To move the possibility forward, we need to move off this list. The target audience for this capability will be organizations that are non-DMARC or DMARC p=none specifically because DKIM delegation is an obstacle. I have no idea whether that category is a trivial or non-trivial group, so we would need to find out. Major ESPs are successfully implementing DKIM scope delegation to comply with DMARC, so maybe it is not the issue. DKIM delegation creates complexity which becomes an obstacle to new entrants, so big ESPs may like the status quo just fine. These are all things need to be assessed, and are more important than writing a new specification. Then, we need to expand the base of participants to include people who would be willing to implement the third-party authentication scheme after it is defined. I think that list would need to look something like this: A national government representative to ensure that any new proposal is not vetoed, A financial services industry representativeAn Email Service Provider industry representativeA large organization that is holding back on DMARC p=reject because DKIM delegation is an obstacle.One or more commercial product representativesI would love to have Verizon Media participate, but I have asked and had no response. If you want to participate, send me a direct email. More importantly, if you have connections with people who could play the role of influencers, reach out to them. If there are other topics that would move DMARC forward, we can put them up for consideration. If you want to discuss special treatment for mailing lists, you are specifically disinvited. Doug Foster ---------------------------------------- From: hsantos=40isdg.net@dmarc.ietf.org Sent: 8/16/20 1:19 PM To: dmarc@ietf.org Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list On 8/13/2020 8:21 PM, Murray S. Kucherawy wrote: > On Mon, Aug 10, 2020 at 10:27 AM Dave Crocker <dhc@dcrocker.net > <mailto:dhc@dcrocker.net>> wrote: > > > We have had a lot of attempts at third-party authorization schemes > ..... > > With this in mind, I cannot see any point in designing yet another > > vouching or authorization scheme unless we have evidence that an > > interesting fraction of the world's mail systems want to use it. I > > don't see that, and honestly see no chance that we ever will. > > +1 > > > I'm disappointed that the experiment never really got its day in > court, +1 and I want to give you credit for trying. Without you, I might have been long gone from the DKIM project WGs. So I thank you for keeping it interesting, but.... > but the consensus is clear. +1. Here I have to disagree. I don't ask anyone to agree with me but to understand my viewpoint as a long time participant and advocate of the DKIM Policy Model. Early on, we had limited policy proponents. But not today. I have a different viewpoint, a viewpoint that really that was blocked by the two controlling cogs who had DKIM interest else where, namely Levine, Crocker. Crocker has been more open ended. Not Levine. Since day 0, Levine never liked policy and to his credit, he admitted it as much. He killed SSP with the "poison pill" (crippled draft) ADSP replacement he knew would never make it pass LC. Levine was always for the 3rd party trust/list signer idea - never a 1st party authorization. But he narrowed down the scope to the restrictive policy, removing any 3rd party consideration. The same will most likely be true with DMARC with the same problems. Yet, why would any list developer deny new security options for list operations? I never got that and that was before ADSP or even ATPS. When it comes to DKIM, if Levine didn't like it, it simply wasn't happening. Sad to say and I don't see that changing. So now that we have the top three cogs DKIM agreeing, there is not much reason to even bother anymore when one of them is the AD. What is one to think at this point? "Follow the Chieftain" syndrome? Just consider, we are 15+ yrs into all this and nothing was accomplished with DKIM in regards to LIST systems. DMARC, with the same exact problems as ADSP, snuck on via an informational status. Nothing wrong there, but it was pushed as a standard and ventures were started. Who wins? who loses? I believe it would be prudent for the AD to look at the reasons why the IETF has failed with this DKIM Project. If a cog is not for ADSP but for DMARC with the same problems, then what is that to say about this process? It has not been a fair process to say the least. A lot of wasted time, money and energy. It has been a long 15+ yrs and has become very tiring. :-( Despite the 3rd party authorization brush back, the concept has never gone away. It says a lot and it will never go away under the current DKIM POLICY model using the required hash bound Author Domain anchor as the forcing function for authorization. At this point, I would suggest to give the new generation IETF mail developers a new chance at DKIM-based security. Rewrite DKIM as v3.0 as you guys want it for 3rd party trust. Remove the Author Domain dependency so that the world can nip the Mail tampering bug opened with Levine's Rewrite crud. I wouldn't worry about backward compatibility. Two different streams, only the newer one will matter. -- Hector Santos, https://secure.santronics.com https://twitter.com/hectorsantos _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
- [dmarc-ietf] non-mailing list use case for differ… Autumn Tyr-Salvia
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Dotzero
- Re: [dmarc-ietf] non-mailing list use case for di… Laura Atkins
- Re: [dmarc-ietf] non-mailing list use case for di… Douglas E. Foster
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Laura Atkins
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Hector Santos
- Re: [dmarc-ietf] non-mailing list use case for di… Doug Foster
- Re: [dmarc-ietf] non-mailing list use case for di… John Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] non-mailing list use case for di… Todd Herr
- Re: [dmarc-ietf] non-mailing list use case for di… Dave Crocker
- Re: [dmarc-ietf] non-mailing list use case for di… John R Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Todd Herr
- Re: [dmarc-ietf] non-mailing list use case for di… Dave Crocker
- Re: [dmarc-ietf] non-mailing list use case for di… Autumn Tyr-Salvia
- Re: [dmarc-ietf] non-mailing list use case for di… Todd Herr
- Re: [dmarc-ietf] non-mailing list use case for di… Dave Crocker
- Re: [dmarc-ietf] non-mailing list use case for di… John R Levine
- Re: [dmarc-ietf] non-mailing list use case for di… John R Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Laura Atkins
- Re: [dmarc-ietf] non-mailing list use case for di… Todd Herr
- Re: [dmarc-ietf] non-mailing list use case for di… Laura Atkins
- Re: [dmarc-ietf] non-mailing list use case for di… Hector Santos
- Re: [dmarc-ietf] non-mailing list use case for di… Douglas E. Foster
- Re: [dmarc-ietf] non-mailing list use case for di… Jeremy Harris
- Re: [dmarc-ietf] non-mailing list use case for di… Ken O'Driscoll
- Re: [dmarc-ietf] non-mailing list use case for di… Hector Santos
- Re: [dmarc-ietf] non-mailing list use case for di… Hector Santos
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] non-mailing list use case for di… Murray S. Kucherawy
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] non-mailing list use case for di… Jim Fenton
- Re: [dmarc-ietf] non-mailing list use case for di… Luis E. Muñoz
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- [dmarc-ietf] LSAP - Lightweight Signer Authorizat… Hector Santos
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] non-mailing list use case for di… John Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] non-mailing list use case for di… John R Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Neil Anuskiewicz
- Re: [dmarc-ietf] non-mailing list use case for di… Douglas E. Foster
- Re: [dmarc-ietf] non-mailing list use case for di… John Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Douglas E. Foster
- Re: [dmarc-ietf] non-mailing list use case for di… John R Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Murray S. Kucherawy
- Re: [dmarc-ietf] non-mailing list use case for di… John R Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Dave Crocker
- Re: [dmarc-ietf] non-mailing list use case for di… Douglas E. Foster
- Re: [dmarc-ietf] non-mailing list use case for di… Ken O'Driscoll
- Re: [dmarc-ietf] non-mailing list use case for di… Benny Pedersen
- Re: [dmarc-ietf] non-mailing list use case for di… Kurt Andersen (b)
- Re: [dmarc-ietf] non-mailing list use case for di… Jim Fenton
- Re: [dmarc-ietf] non-mailing list use case for di… Jim Fenton
- Re: [dmarc-ietf] non-mailing list use case for di… Dotzero
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] non-mailing list use case for di… Dotzero
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Autumn Tyr-Salvia
- Re: [dmarc-ietf] non-mailing list use case for di… John Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Murray S. Kucherawy
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] non-mailing list use case for di… Douglas E. Foster
- Re: [dmarc-ietf] non-mailing list use case for di… John Levine
- Re: [dmarc-ietf] non-mailing list use case for di… John Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Dave Crocker
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Douglas E. Foster
- Re: [dmarc-ietf] non-mailing list use case for di… Hannu Aronsson
- Re: [dmarc-ietf] non-mailing list use case for di… Hannu Aronsson
- Re: [dmarc-ietf] non-mailing list use case for di… Tõnu Tammer
- Re: [dmarc-ietf] non-mailing list use case for di… Dave Crocker
- Re: [dmarc-ietf] non-mailing list use case for di… Jim Fenton
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Douglas E. Foster
- Re: [dmarc-ietf] third party authorization, not, … John Levine
- Re: [dmarc-ietf] third party authorization, not, … Dave Crocker
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] non-mailing list use case for di… Neil Anuskiewicz
- Re: [dmarc-ietf] non-mailing list use case for di… John R Levine
- Re: [dmarc-ietf] non-mailing list use case for di… Autumn Tyr-Salvia
- Re: [dmarc-ietf] non-mailing list use case for di… John R Levine
- Re: [dmarc-ietf] third party authorization, not, … Murray S. Kucherawy
- Re: [dmarc-ietf] third party authorization, not, … Dave Crocker
- Re: [dmarc-ietf] third party authorization, not, … John Levine
- Re: [dmarc-ietf] third party authorization, not, … Alessandro Vesely
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … Alessandro Vesely
- Re: [dmarc-ietf] third party authorization, not, … Dave Crocker
- Re: [dmarc-ietf] third party authorization, not, … Hector Santos
- Re: [dmarc-ietf] Time for a change Douglas E. Foster
- Re: [dmarc-ietf] Time for a change Dotzero
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] third party authorization, not, … Murray S. Kucherawy
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] Time for a change Murray S. Kucherawy
- Re: [dmarc-ietf] Time for a change Dave Crocker
- Re: [dmarc-ietf] Time for a change Dotzero
- Re: [dmarc-ietf] non-mailing list use case for di… Alessandro Vesely
- Re: [dmarc-ietf] non-mailing list use case for di… Autumn Tyr-Salvia
- Re: [dmarc-ietf] finer grained org domain John R Levine
- Re: [dmarc-ietf] finer grained org domain Tim Wicinski
- Re: [dmarc-ietf] finer grained org domain Dave Crocker
- Re: [dmarc-ietf] finer grained org domain Dave Crocker
- Re: [dmarc-ietf] finer grained org domain Seth Blank
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] Time for a change Murray S. Kucherawy
- Re: [dmarc-ietf] third party authorization, not, … Alessandro Vesely
- Re: [dmarc-ietf] third party authorization, not, … Kurt Andersen (b)
- Re: [dmarc-ietf] third party authorization, not, … Murray S. Kucherawy
- Re: [dmarc-ietf] third party authorization, not, … Douglas E. Foster
- Re: [dmarc-ietf] third party authorization, not, … Alessandro Vesely
- Re: [dmarc-ietf] third party authorization, not, … Murray S. Kucherawy
- Re: [dmarc-ietf] third party authorization, not, … Tim Draegen
- Re: [dmarc-ietf] third party authorization, not, … Brandon Long
- Re: [dmarc-ietf] third party authorization, not, … Jesse Thompson
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … Alessandro Vesely
- Re: [dmarc-ietf] third party authorization, not, … Douglas E. Foster
- Re: [dmarc-ietf] non-mailing list use case for di… Jim Fenton
- Re: [dmarc-ietf] non-mailing list use case for di… Brandon Long
- Re: [dmarc-ietf] non-mailing list use case for di… Jesse Thompson
- Re: [dmarc-ietf] third party authorization, not, … Murray S. Kucherawy
- Re: [dmarc-ietf] third party authorization, not, … Murray S. Kucherawy
- Re: [dmarc-ietf] third party authorization, not, … John Levine
- Re: [dmarc-ietf] third party authorization, not, … Douglas E. Foster
- Re: [dmarc-ietf] third party authorization, not, … Murray S. Kucherawy
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … Alessandro Vesely
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … Laura Atkins
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … John R Levine
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … John R Levine
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … Jim Fenton
- Re: [dmarc-ietf] third party authorization, not, … John Levine
- Re: [dmarc-ietf] third party authorization, not, … Jim Fenton
- Re: [dmarc-ietf] third party authorization, not, … Alessandro Vesely
- Re: [dmarc-ietf] third party authorization, not, … Doug Foster
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … Jim Fenton
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … Douglas E. Foster
- Re: [dmarc-ietf] third party authorization, not, … Dotzero
- Re: [dmarc-ietf] third party authorization, not, … Jim Fenton
- Re: [dmarc-ietf] third party authorization, not, … Hector Santos
- Re: [dmarc-ietf] third party authorization, not, … Alessandro Vesely
- Re: [dmarc-ietf] third party authorization, not, … Douglas E. Foster
- Re: [dmarc-ietf] third party authorization, not, … Alessandro Vesely
- Re: [dmarc-ietf] draft-levine-dkim-conditional-04… John Levine
- Re: [dmarc-ietf] draft-levine-dkim-conditional-04… Douglas E. Foster
- Re: [dmarc-ietf] draft-levine-dkim-conditional-04… Murray S. Kucherawy
- Re: [dmarc-ietf] third party authorization, not, … Murray S. Kucherawy
- Re: [dmarc-ietf] my forward signer draft, third p… John Levine
- Re: [dmarc-ietf] my forward signer draft, third p… Rolf E. Sonneveld