Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd

Dave Crocker <dcrocker@gmail.com> Wed, 04 September 2019 13:28 UTC

Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6871D1200F3 for <dmarc@ietfa.amsl.com>; Wed, 4 Sep 2019 06:28:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YT-pBvjABkfD for <dmarc@ietfa.amsl.com>; Wed, 4 Sep 2019 06:28:47 -0700 (PDT)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DF3C1200DB for <dmarc@ietf.org>; Wed, 4 Sep 2019 06:28:47 -0700 (PDT)
Received: by mail-ot1-x32e.google.com with SMTP id c7so20622808otp.1 for <dmarc@ietf.org>; Wed, 04 Sep 2019 06:28:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=n1f99aScuc1KvkE2Q2R8EaCJCqx4i6tJ7SP/gIUN2VI=; b=U5lSAimhgcCNSLNcDEnp3LVneVQCzfbD5G7mSt7JRrPR4sWL63MIgXhZNFQLOxcjPy 0ke8/d+TkH0X1D0gpHF2kahrUfPDDp+REsvgMf6BKzfvuKB5fIYsTKsyLk0TWvc/SADZ L4MdtMrgPUFbfwAjM9s6M+ptAeBR1GQkgo6zLQyXBNIf4ZTfkIUHMB2S1Lljcou7Qskk qCFv1TxTaOI6BrFVamz0BtahGgr6oWSgPmDpAQEQcdkZ9S/Sv0bQqaBOBCgMnYMt1iPk OLjVOAOICssdrj2MVIfO6TDMNN+q5WDRUh//17GMvjHHIGHQUck65mwlTXKhaKywHn0G a+NA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=n1f99aScuc1KvkE2Q2R8EaCJCqx4i6tJ7SP/gIUN2VI=; b=hpfaxnCjSmqN2I7HrJe9DSWG95+TI9N/tQ41aCfwO6+W1oTAfwDal+Otbu6uewzSAL IINbitC2R/f0twH7r5h4w56jcOtQtRf4OKsB6mme1D0pq8mR5cE0dkm1gXTgu1n+3pj/ KCw36FYDMxmO2CtxaXaWJmekkEhNBxfdLCCgguE49y/TeNhJjVsw60Epuos7a2dwpi9Y shtlU0zYD08bv4e7mJCH2IK2+8kZIAzy29YiUI8FYd4kOEacpJgcyMghkaT5aKaVnbUi xA7kvzMJEeE6KB1v3CVrjuRsnAKFmacKj3WbIF+mxVpUipmyCyXrqRc3dw5Y94kQCNyv ZD/Q==
X-Gm-Message-State: APjAAAUUcMDnjcL8a6PHCuVA/mFqFaWwCvJ2yvR7es2lwA/95r4Dg2Zl Ns74XsucUVj5dWg93fqbCwK8Ip/7
X-Google-Smtp-Source: APXvYqxNsQxUtnOGAABFEDDTykpSOTCyR13lkiAz5n/RXix7FjsuINa95jymKnSrNuZeVEdoLrdzdQ==
X-Received: by 2002:a9d:634b:: with SMTP id y11mr18755780otk.24.1567603725867; Wed, 04 Sep 2019 06:28:45 -0700 (PDT)
Received: from ?IPv6:2600:1700:a3a0:4c80:978:d464:8bc:3684? ([2600:1700:a3a0:4c80:978:d464:8bc:3684]) by smtp.gmail.com with ESMTPSA id l14sm5420944oii.27.2019.09.04.06.28.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Sep 2019 06:28:45 -0700 (PDT)
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <728d7df1-d563-82f4-bfb3-a65a75fdd662@gmail.com> <CAL0qLwacbAT04tckpPcRcnOt=1QByOBeJ7uDf6rNK6NRwtxZYg@mail.gmail.com>
From: Dave Crocker <dcrocker@gmail.com>
Message-ID: <51219bbd-3785-e6bb-414a-bd564b6c856d@gmail.com>
Date: Wed, 4 Sep 2019 06:28:41 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwacbAT04tckpPcRcnOt=1QByOBeJ7uDf6rNK6NRwtxZYg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/pU-S5E9yean2LYWOLQYJ5ShbYf4>
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 13:28:49 -0000

Murray,

Thanks for the diligent reply.

(As a matter of etiquette, I will again apologize for not having 
submitted my concerns earlier.  Partially, this was because my 
assessment of the work did not gel until recently.)


Some responses:

On 9/3/2019 8:57 AM, Murray S. Kucherawy wrote:
>  From a higher level view, the experiment can be seen as the temporary 
> construction of an augmented PSL (i.e., the actual PSL coupled with the 
> queryable registry described in Appendix B), which DMARC then can 
> consume to resolve the use cases that have appeared which now need to be 
> addressed.  The portion of the experiment comprising an augmentation to 
> DMARC’s algorithm would therefore not be part of DMARC permanently. 
> Then, if the experiment proves effective, that would become prima facie 
> evidence that the PSL, augmented with this additional information, would 
> enable DMARC to resolve those use cases.  Such an augmented PSL would 
> still conform to the desirable separation of functions to which you alluded.

This model of iterative design does not match my own sense of IETF work, 
experimental or otherwise.

Simply put, 'temporary' is an appealing but highly misleading construct, 
in the form and scale of a standards body.[*]  The closest reality comes 
to matching that term is when the 'experiment' fails utterly and the 
effort must completely restart. When work like this operates over a 
period of years and at Internet scale, nothing is temporary.

If an experiment succeeds, the specified work will have become 
entrenched and there will be significant resistance to making major changes.

With respect to the use of this work as a model for changes to the PSL, 
unfortunately the spec is not written in a fashion to support that. 
This really is a core concern, in my view: the work needs to have a 
basic model that really is expected to be appropriate for the long term; 
hence my suggestion to highly limit any changes to DMARC and, instead, 
cast the bulk of the work as augmenting the PSL.

That said, and as for getting changes to the PSL, based on my 
interactions with that community, I think it unlikely.  There does not 
seem to be the interest or resources for such work.  Strategically, 
that's the biggest hurdle to overcome, IMO.



> In addition, there are a few very large players in the space who are 
> unfortunately reticent to declare publicly that they are interested in 
> seeing this evolutionary experiment proceed.  These include large email 
> providers and operators of sizable TLDs in need of the capabilities 
> pursued here. This provides some weight to the idea that this will not 
> be simply a niche experiment.

Good to hear.


> Lastly, we note that the idea of “walk up one node” came from an email 
> thread in December[1] wherein you suggested that approach, and which the 
> PSD draft now follows.  We are thus a little surprised by the assertion 
> that it should not proceed at all. Was there some content of that thread 
> that was not taken into account that would make it palatable?
..
> [1] https://mailarchive.ietf.org/arch/msg/dmarc/pQpKag3acqIISxb-SOrJ3mHFayI

Sigh.  Yeah.  Still again, sorry.  Mostly this is a case of letting an 
idea simmer for a while, to think about it more.  My feeling is that the 
idea does not adequately attend to the items 1 and 2 I listed in that note.

Hence my current view that:

1. The change to DMARC should be limited to permitting the query for the 
organization domain to be anywhere in the DNS tree, including a TLD. 
Within DMARC this would not look like 'extra' mechanism.

2. The mechanism that processes that query should be cast strictly as a 
PSL enhancement, independent of DMARC.


d/

[*] Note the 'obsolete' construct in RFC 5322.  It was introduced in RFC 
2822, as a revision to RFC 822, 20 years ago.  As is obvious, it's 
intent was to eliminate use of the portions of RFC 822 deemed obsolete. 
Yet these portions still haven't been eliminated from the specification. 
  Twenty years later.

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net