Re: "why I quit writing internet standards"

Hector Santos <> Sun, 20 April 2014 19:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0D5B31A0007 for <>; Sun, 20 Apr 2014 12:44:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -100.602
X-Spam-Status: No, score=-100.602 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 38PJPr_PHWkZ for <>; Sun, 20 Apr 2014 12:44:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2D1EC1A0002 for <>; Sun, 20 Apr 2014 12:43:59 -0700 (PDT)
DKIM-Signature: v=1;; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1895; t=1398023028; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=wTrMAII3dpERXB2eHoHIDXBK/rA=; b=wlS7/TM0BH5U/WpkKwj1 rub98qBbNMTs80AVd2EQvBarYeZHo6xAwm21xpdoyYoYslloJ7xWsq8mj1cGM+Xk e1qibFpENl1n0MaZ6r0qy00fJ/aILK2Vr3nHhqyQwrM8KeQbFgbjGYOVlbxnxyy3 E4soLZiu1w7mZeNuaoLFhqk=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Sun, 20 Apr 2014 15:43:48 -0400
Authentication-Results:; dkim=pass header.s=tms1; adsp=pass policy=all;
Received: from ( []) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 1131599974.9381.1388; Sun, 20 Apr 2014 15:43:47 -0400
DKIM-Signature: v=1;; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1895; t=1398022953; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=MqNkUTh +Sfk+GFi3eKjhslSM1R0AUFZ+uNC8TxUGWLo=; b=zLYI+wn89jRzmhdJxFgmCBy Y5C4VVkcLVfRRqTVrzsbxCH2jzIPs+DKMX9IkWq4XpfxOwMdQK5KhID88su63s85 rhBBTbGW9FswpwKTEdFb2BXvgE5B64i9wDIoEG6k0VotcN9KlL5QFiq7B6gTkDIt EWid6nZ6g98hxSYNocAk=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Sun, 20 Apr 2014 15:42:32 -0400
Received: from [] ([]) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 1151128984.9.10960; Sun, 20 Apr 2014 15:42:32 -0400
Message-ID: <>
Date: Sun, 20 Apr 2014 15:43:44 -0400
From: Hector Santos <>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Douglas Otis <>, Dave Crocker <>
Subject: Re: "why I quit writing internet standards"
References: <> <> <> <4756885.Eo3b3po9Vj@scott-latitude-e6320> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Scott Kitterman <>,
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 20 Apr 2014 19:44:05 -0000

On 4/20/2014 2:25 PM, Douglas Otis wrote:
> That said, DMARC was never intended to address needs beyond the
>narrow scope of high value transactional email.

And unfortunately, this attitude was always wrong. Hate to say, but "I 
told you so."   What the design attitude says is this:

     If the domain is high value, then only applied policy.
     For all others, ignore it.

Well, is is "high value?"  How do you distinguish "value" in an 
anonymous world?  Must everyone have a profile in some Good Reputation 
Databases?  Fee based?  Even if we want this, we are not there yet!!

The seed to all this author domain brush back was born in the 
unfortunate RFC5016 DKIM Signing Practice requirements document last 
minute addition of item 10 in section 5.3 where it strongly mandates 
that a 1st party policy MUST NOT override the 3rd party policy.

    RFC 5016, Section 5.3

    10. SSP MUST NOT provide a mechanism that impugns the existence of
        non-first party signatures in a message.  A corollary of this
        requirement is that the protocol MUST NOT link practices of first
        party signers with the practices of third party signers.

          INFORMATIVE NOTE: the main thrust of this requirement is that
          practices should only be published for that which the publisher
          has control, and should not meddle in what is ultimately the
          local policy of the receiver.

          Refs: Deployment Consideration, Section 4.3.

Just replace the term SSP for DMARC and you have the same thing.  This 
is where all the resistance towards author domain policies began with 
this written stone functional requirement.  This attitude is still 
among us.  Not saying its completely wrong, but it certainly not right 
either.  Yahoo proved it for us.

The irony?

Rather than try to honor policy to keep the security high, we are 
looking for ways to circumvent it.  Ignoring Policy no longer works.