Re: [dmarc-ietf] Charter improvements
"Kelley, John" <john.kelley@teamaol.com> Tue, 16 July 2013 17:29 UTC
Return-Path: <john.kelley@teamaol.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5441521F9A2A for <dmarc@ietfa.amsl.com>; Tue, 16 Jul 2013 10:29:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZoJLiQ+wEkHm for <dmarc@ietfa.amsl.com>; Tue, 16 Jul 2013 10:29:35 -0700 (PDT)
Received: from omr-d03.mx.aol.com (omr-d03.mx.aol.com [205.188.109.200]) by ietfa.amsl.com (Postfix) with ESMTP id 6EA1F21F991E for <dmarc@ietf.org>; Tue, 16 Jul 2013 10:29:35 -0700 (PDT)
Received: from AOLDTCMEI31.ad.aol.aoltw.net (aoldtcmei31.office.aol.com [10.180.121.109]) by omr-d03.mx.aol.com (Outbound Mail Relay) with ESMTP id 2F78C700B048B for <dmarc@ietf.org>; Tue, 16 Jul 2013 13:29:34 -0400 (EDT)
Received: from AOLDTCMES31.ad.aol.aoltw.net ([169.254.8.227]) by AOLDTCMEI31.ad.aol.aoltw.net ([10.180.121.108]) with mapi id 14.03.0123.003; Tue, 16 Jul 2013 13:29:34 -0400
From: "Kelley, John" <john.kelley@teamaol.com>
To: "J. Trent Adams" <jtrentadams@gmail.com>
Thread-Topic: [dmarc-ietf] Charter improvements
Thread-Index: AQHOduT0Pyi+C7IeHkuLGYN+GiJe1JlSK9OAgAB7B4CAFSOwAIAAHs8A
Date: Tue, 16 Jul 2013 17:29:32 +0000
Message-ID: <033CB4C9-979B-42B5-A0FE-8D0EB33B0E6C@teamaol.com>
References: <20130702052746.15876.qmail@joyce.lan> <51D3464D.2060502@sonnection.nl> <0A91244B-1CAE-491A-865B-E2BA64AFB366@tnpi.net> <51E56928.4020207@gmail.com>
In-Reply-To: <51E56928.4020207@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.17.8.193]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B7A42DDA6F09544AAC140C83ED0DA6E1@teamaol.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] Charter improvements
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 17:29:39 -0000
On Jul 16, 2013, at 11:39 AM, J. Trent Adams <jtrentadams@gmail.com> wrote: > > Thanks, everyone, for their input on this thread (and to John for the > pointer how to get back to land when I blundered into the wrong stream). > Editing the proposed charter is a lot easier with this feedback. > > From what I can tell, the most important question needing to be answered > is whether or not revising the base DMARC specification is within scope > of the proposed work group. Following Russ's guidance, it seems that we > should start from the assumption that it's not in scope for now given > the fact that it's being sponsored by an AD as an Individual Submission. > > Regardless of whether that's the right path, or not, let's explore it as > an option and see how the rest of the items identified in the proposed > charter play out. Then we can leverage the outcome of the conversation > to potentially revisit the fate of the base specification itself. > > Given that guidance, here're the most obvious (and noncontroversial?) > items needing to be done to shore up the proposed charter: > > * Correct the text regarding the current path of the specification. > * Tone down the "marketing puffery". > * Clarify how to address "backward compatibility" with the installed base. > > I've already updated the description of the current path of the base > specification from "Independent Submission" to "Individual Submission", > so that's one down. I'll pull out my red pen on the other two topics and > see if I can make them more reasonable. > > Skipping ahead. . . here're the items that have previously been proposed > as worth exploring in the setting of an IETF work group: > > ----- > * a mechanism for determining the organizational domain name based on an > arbitrary fully-qualified hostname > ----- > > If I'm not mistaken, the Apps Area WG has already expressed an interest > in this work. In that case, I believe that this WG would only need to > track that effort and ensure that its work addresses the use cases > required to support DMARC. > > QUESTION: Given that it's an important topic, and there's no guarantee > that the other effort will result in an applicable solution, would it > still be reasonable to include a mention of this as worth exploration? > If so, it'd probably make sense to reference the other work as a > starting point to clarify we're not planning to spin up a competing > solution. +1 I agree with monitor and only address if needed. A mention about the other work is fine. > > ----- > * a mechanism for detecting abuse involving the <display-name> portion > of the RFC5322.From field > ----- > > This is an interesting item in that there have been some proposals from > contributors to the base DMARC specification to address this. The > proposals, as you can see, didn't make it through to a consensus and it > was suggested that they be brought to the broader community for > consideration. It's highly likely that through the WG process we're able > to identify a means by which this issue can be addressed. > > QUESTION: Does it make sense for this proposed WG to explore how the > base specification can be extended to apply the same level of > "identifier alignment" to the <display-name> as is helping defend the > <address-spec>? > +1 > ----- > * a mechanism for mitigating the effect of failures of DMARC policy when > a message transits a mailing list > ----- > > I recognize that there's definitely a counter-pressure against including > this topic as it seems to be a potentially quixotic quest. That being > said, even if we don't find the perfect solution, it does seem > reasonable to believe there is a way to provide something more than > nothing that does help in some meaningful way. I'm not presupposing a > solution, just that there have been a few possible options discussed at > the edges which are likely to be worth more rigorous exploration. > > QUESTION: Is there value in a WG such as this exploring possible > solutions to this issue and developing guidance that would potentially > help improve the utility of the base DMARC specification? > -1 Not sure what continued debate here would accomplish. > ----- > * support for the notion of transitive trust (i.e., "host X trusted the > sender of this message, and I trust X, so you should too") > ----- > > I see this as similar to the above, but potentially more broadly > applicable. One tweak I'd offer would be to replace ", so you should > too" with something like ", so you could choose to as well". > > QUESTION: Is there value in a WG such as this exploring possible > solutions to this issue and developing guidance that would potentially > help improve the utility of the base DMARC specification? > +1 I agree there is a potential value added for transitive trust. I am not completely sold that a DMARC group is the place to hammer it out, but its probably worth discussing. > ----- > * more robust transport of reports > ----- > > After over a year of deployment, and the rise in support services > handling reports, many folks have suggested that it would be worth > exploring how to offer additional optional means of transport for > reports. The base DMARC specification provides for this, but it is an > area that was left to be extended by a group such as this. > > QUESTION: Is this an area of exploration that is of enough interest to > include in the charter for this proposed work group? > +1 > Beyond those, the topics in the proposed "Using DMARC" document have > already proven useful in clarifying some options that aren't typically > included in a base specification. For example, here a few items that may > benefit from being specifically called out in the charter as worth > exploring: > > * Identifier alignment configuration options > * Implementation decisions regarding "pct" > * Determining effective RUA sending frequency > * Leveraging policy caching > * Various options for integrating within an existing flow > * Defining a useful, common set of RUA reporting options > * When and how to use local policy override options > > QUESTION: Do any items on this list seem to be worth specifically adding > to the proposed charter as examples of the type of work that would be > useful? > None of those items are jumping out at me as something that MUST be part of the WG output. > Finally, this list of potential work items was developed a while ago, > and it's likely additional possible areas of exploration have surfaced > since then. Are there any other substantive items that would be worth > adding to the list? Keeping in mind, of course, that our first cut will > be to assume that the base specification isn't in scope for now. > Nothing comes to mind > Once the dust settles a bit around these items, I'll take another whack > at the charter text to at least get it stable for now. Then we can > bubble up the bigger question and see if we can tackle that given the > input I've seen recently on other threads. > > Thanks again, > Trent > John Kelley > > On 7/2/13 10:50 PM, Matt Simerson wrote: >> On Jul 2, 2013, at 2:29 PM, "Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl> wrote: >> >>>> In view of the large base of running DMARC >>>> code, the group will avoid changes that would cause incompatible >>>> changes to bits on the wire. >>> -1 >>> >>> Granted, the installed base is large, but let's not ignore the other 40 percent of the Internet. IETF standards are standards for the _entire_ Internet community, not just ten or twenty of the largest companies in a specific area. The WG should not be bound by 'bits on the wire' in their review and possible comments on the standard. Otherwise the IETF is to a large extent degraded to the 'rubber stamp business' Scott mentioned. >>> >>> Don't get me wrong: the outcome of the discussions may well be that nothing will change on the wire and that'd be fine. But including this in the Charter as a precondition for the work to be done is wrong in my opinion. >> +1 to Rolf's -1. >> >> I'm happy to see DMARC moving towards becoming a standard. Validation of incoming messages is a great feature. Reporting is more timely and structured than bounce messages. But for the vast majority of mail senders, DMARC is close to useless because of the forwarder / mailing list issue. >> >> "DMARC policies are not appropriate for domains with users who send mail through mailing lists" --John R Levine >> >> "SMTP refusal to an unmapped-but-reliable forwarder is likely to cause list unsubscription." --Roland Turner >> >> The mailing list issue is intractable and also a huge implementation barrier that is barely documented. For legit domain owners (ie, not abusers) that wish to use DMARC to curtail phishing from their domains, they will need to choose between losing legit mail (DMARC + mailing lists) or not losing legit mail (no DMARC). >> >> Most of the broader internet community does not have the resources to "map the exit IP addresses of well-behaved forwarders and ignore DMARC results for messages that come from those addresses." As such, many domain owners will deploy DMARC, lose valid mail, and then reject the technology. >> >> While it may be kinda sorta true that DMARC "protects 60% of global consumer mailboxes," it seems to be marketing puffery. While 60% of global mailboxes may have some form of DMARC validation, the number of legit domains that do and potentially *can* deploy DMARC records is absurdly low. >> >> Other minor Issues such as report loops (DMARC reporters reporting each others DMARC reports to each other ad infinitum) are minor and have simple (but not yet documented) workarounds but could also be addressed technically, rather than requiring workaround documentation. >> >> Matt >> >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc > > -- > J. Trent Adams > > Profile: http://www.mediaslate.org/jtrentadams/ > LinkedIN: http://www.linkedin.com/in/jtrentadams > Twitter: http://twitter.com/jtrentadams > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- [dmarc-ietf] DMARC BoF at IETF 87, Berlin Barry Leiba
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Russ Housley
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin J. Trent Adams
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin John Levine
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Russ Housley
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Scott Kitterman
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Barry Leiba
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Franck Martin
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Scott Kitterman
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin John Levine
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Scott Kitterman
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Franck Martin
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin John Levine
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Franck Martin
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin John R Levine
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin John Levine
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin John R Levine
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Scott Kitterman
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin John R Levine
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Scott Kitterman
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Scott Kitterman
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Scott Kitterman
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Scott Kitterman
- Re: [dmarc-ietf] Charter improvements John Levine
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Scott Kitterman
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Dave Crocker
- Re: [dmarc-ietf] Charter improvements Dave Crocker
- Re: [dmarc-ietf] DMARC BoF at IETF 87, Berlin Barry Leiba
- Re: [dmarc-ietf] Charter improvements John Levine
- Re: [dmarc-ietf] Charter improvements Dave Crocker
- Re: [dmarc-ietf] Charter improvements John Levine
- Re: [dmarc-ietf] Charter improvements Dave Crocker
- Re: [dmarc-ietf] Charter improvements Rolf E. Sonneveld
- Re: [dmarc-ietf] Charter improvements Dave Crocker
- Re: [dmarc-ietf] Charter improvements Matt Simerson
- Re: [dmarc-ietf] Charter improvements SM
- Re: [dmarc-ietf] Charter improvements J. Trent Adams
- Re: [dmarc-ietf] Charter improvements Dave Crocker
- Re: [dmarc-ietf] Charter improvements MH Michael Hammer (5304)
- Re: [dmarc-ietf] Charter improvements Scott Kitterman
- Re: [dmarc-ietf] Charter improvements Kurt Andersen
- Re: [dmarc-ietf] Charter improvements Kelley, John
- Re: [dmarc-ietf] Charter improvements Dave Crocker
- Re: [dmarc-ietf] Charter improvements Mike Jones
- Re: [dmarc-ietf] Charter improvements Franck Martin
- Re: [dmarc-ietf] Charter improvements Barry Leiba
- Re: [dmarc-ietf] Charter improvements Dave Crocker
- Re: [dmarc-ietf] Charter improvements Roland Turner
- Re: [dmarc-ietf] Charter improvements Dave Crocker
- Re: [dmarc-ietf] Charter improvements Murray S. Kucherawy
- Re: [dmarc-ietf] Charter improvements Murray S. Kucherawy
- Re: [dmarc-ietf] Charter improvements Dave Crocker
- Re: [dmarc-ietf] Charter improvements Murray S. Kucherawy
- Re: [dmarc-ietf] Charter improvements Greg Colburn