Re: not really to do with Re: WG Review: Domain-based Message Authentication, Reporting & Conformance (dmarc)
ned+ietf@mauve.mrochek.com Tue, 15 July 2014 18:12 UTC
Return-Path: <ned+ietf@mauve.mrochek.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9D231A0AEC for <ietf@ietfa.amsl.com>; Tue, 15 Jul 2014 11:12:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level:
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fz-GgrYSDGyf for <ietf@ietfa.amsl.com>; Tue, 15 Jul 2014 11:12:28 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.159.242.17]) by ietfa.amsl.com (Postfix) with ESMTP id 05BA11A04E7 for <ietf@ietf.org>; Tue, 15 Jul 2014 11:12:28 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PA7DC5CWZK008J8D@mauve.mrochek.com> for ietf@ietf.org; Tue, 15 Jul 2014 11:07:27 -0700 (PDT)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: TEXT/PLAIN; CHARSET="us-ascii"
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01PA1SES1000007ZXF@mauve.mrochek.com> (original mail from NED@mauve.mrochek.com) for ietf@ietf.org; Tue, 15 Jul 2014 11:07:24 -0700 (PDT)
From: ned+ietf@mauve.mrochek.com
Message-id: <01PA7DC3IFS0007ZXF@mauve.mrochek.com>
Date: Tue, 15 Jul 2014 10:22:57 -0700
Subject: Re: not really to do with Re: WG Review: Domain-based Message Authentication, Reporting & Conformance (dmarc)
In-reply-to: "Your message dated Tue, 15 Jul 2014 09:21:29 -0700" <53C55509.8050108@dcrocker.net>
References: <20140714164212.22974.20340.idtracker@ietfa.amsl.com> <4450964.7UmRiHm4KW@scott-latitude-e6320> <20140715001549.GG2595@mournblade.imrryr.org> <2270075.AYnCC6OxAQ@scott-latitude-e6320> <20140715033346.GL2595@mournblade.imrryr.org> <026301cfa01a$7ebdde40$4001a8c0@gateway.2wire.net> <20140715112023.GU2595@mournblade.imrryr.org> <01PA78TOWR4O007ZXF@mauve.mrochek.com> <53C55509.8050108@dcrocker.net>
To: Dave Crocker <dhc@dcrocker.net>
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/HxG6QFlsQsyY2kij1O2RPwQ4Exs
Cc: ned+ietf@mauve.mrochek.com, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jul 2014 18:12:29 -0000
> On 7/15/2014 8:12 AM, ned+ietf@mauve.mrochek.com wrote: > >> On Tue, Jul 15, 2014 at 09:06:55AM +0100, t.p. wrote: > >>>> MUAs should expose message origin when different from author. > ... > >>> A fine idea, but, as a pragmatic engineer, I know that changes to an MUA > >>> will take five, may be ten, years to achieve widespread deployment, > >>> whereas changes to MTA could happen in a matter of weeks, if needs must. > ... > >> The expedient approach has not worked, it should have been done right > >> long ago, and should still be done right in the present. > > > > You know, I'm finding it difficult to argue with this. > I'm not. > 1. For one thing, I don't know what the reference to 'expedient > approach' means. Mostly this thread seems to be making very generic, > simple assumptions and assertions about problems and remedies. Without > specific details on what problem is to be solved, what use cases it will > satisfy, and why we should believe they will work, the thread is not > likely to be constructive. It should go without saying that the context here isn't what's been said on this specific thread, but rather all of the past exchanges here and on any number of other lists leading up to this point. Among other things this includes the posting of several drafts offering concrete proposals. Both the problem and solution space have been explored in some depth, albeit rather haphazardly. And while it may be the case that a novel solution will emerge that blows everything else away, since I've seen that happen exactly twice in the past 25 years, I'm not betting the farm on it happening here. > 2. References to changes in MUA appear to be pointing to assumptions > about efficacy of what is displayed to users. Such assumptions are > empirically incorrect, and mostly serve to demonstrate why the IETF is > the wrong place for discussion about UI/UX/UCD and human usability > issues. Really, the disconnect between that one assumption and what is > actually known about email user behavior is fundamental. I've been letting this set of assertions float by unchallenged for a long time, in part because the effort needed to change dogmatic beliefs is considerable, and in part because like most dogma, there's a kernel of truth buried inside. This seems like as good a time as any to stop doing that. So: This is little more than pernicious nonsense. First, this is essentially a strawman. We're not talking about dictating UI design here. What we're talking about are the semantics and general handling requirements for some of the most basic protocol elements in email. Nobody is saying that we should start specifying what has to be diplayed to users, let alone how. But saying something like, "From tells you who wrote the message, sender tells you who sent it if that's someone different, and here are the various problems that can occur if you fail to take that into account ..." strikes me as entirely reasonable to say. For heaven's sake, we have as a process _requirement_ that we provide security considerations for the stuff we standardize. On what planet does the failure to make the security semantics and consequences of mishandling them make sense? There's also running code in this area: RFC 2049 specifies user agent handling requirements for MIME conformance. To the extent these have been followed - and I admit there's an issue with our ability to affect change in this regard - I know of no deleterious effects this has had. Nor can I recall any serious criticisms having been leveled at the document. Indeed, in hindsight, we didn't go far enough in specifying what conformant handling of MIME should be, and we've paid the price for that in a variety of ways. Finally, there's also a issue with the continued assertion - which AFAIK is backed up with not one scintilla of evidence - of the total lack of IETF expertise in UI design. But since that's not relevant here, I'll leave that for another exchange. > 3. Nonetheless, the language in the draft charter provides for the > possibility of making incompatible changes to DMARC. However it > requires /very/ careful documentation of the basis. See #1, above. True, but beside the point. The point, at least from my perspective, is the one I made before: At a minimum any scheme that's produced needs to be compared against the prospect of a proposal built around embracing the full semantics of the relevant fields. > > I've long been a supporter of using From/Sender semantics, but I've also bought > > into the assumption that current client behavior made use of these semantics > > problematic. > Cleaning up From:/Sender: semantics and usage is a worthy goal, as is > generally developing a much cleaner model of identifying and > authenticating the various actors involved with a message. > But it's not likely to have much to do with DMARC, anytime soon. I've yet to see any evidence that anything being proposed will have any effect on DMARC in the short term. I've heard a bunch of assertions that if the need arose MTA changes can be rolled out quickly. I have 25+ years of experience doing this stuff that says otherwise. Ned
- Re: WG Review: Domain-based Message Authenticatio… Dave Crocker
- Re: WG Review: Domain-based Message Authenticatio… Scott Kitterman
- Re: WG Review: Domain-based Message Authenticatio… Viktor Dukhovni
- Re: WG Review: Domain-based Message Authenticatio… Douglas Otis
- Re: WG Review: Domain-based Message Authenticatio… Viktor Dukhovni
- Re: WG Review: Domain-based Message Authenticatio… Scott Kitterman
- Re: WG Review: Domain-based Message Authenticatio… Viktor Dukhovni
- not really to do with Re: WG Review: Domain-based… t.p.
- Re: not really to do with Re: WG Review: Domain-b… Viktor Dukhovni
- Re: WG Review: Domain-based Message Authenticatio… John Levine
- Re: not really to do with Re: WG Review: Domain-b… ned+ietf
- Re: not really to do with Re: WG Review: Domain-b… Dave Crocker
- Re: WG Review: Domain-based Message Authenticatio… Scott Kitterman
- RE: not really to do with Re: WG Review: Domain-b… Christian Huitema
- Re: not really to do with Re: WG Review: Domain-b… ned+ietf
- Re: WG Review: Domain-based Message Authenticatio… Murray S. Kucherawy
- Re: WG Review: Domain-based Message Authenticatio… Murray S. Kucherawy
- Re: not really to do with Re: WG Review: Domain-b… John Levine
- Re: WG Review: Domain-based Message Authenticatio… Scott Kitterman
- Re: not really to do with Re: WG Review: Domain-b… Dave Crocker
- Re: not really to do with Re: WG Review: Domain-b… Viktor Dukhovni
- Re: not really to do with Re: WG Review: Domain-b… Douglas Otis
- Re: not really to do with Re: WG Review: Domain-b… John Levine
- Re: not really to do with Re: WG Review: Domain-b… Scott Kitterman
- Re: not really to do with Re: WG Review: Domain-b… Dave Crocker
- Re: not really to do with Re: WG Review: Domain-b… Viktor Dukhovni
- Re: not really to do with Re: WG Review: Domain-b… Niels Dettenbach (Syndicat IT&Internet)
- Re: really to do with Re: WG Review: Domain-based… Alessandro Vesely
- Re: not really to do with Re: WG Review: Domain-b… Scott Kitterman
- Re: not really to do with Re: WG Review: Domain-b… t.p.
- Re: WG Review: Domain-based Message Authenticatio… Dave Crocker
- Re: not really to do with Re: WG Review: Domain-b… Hector Santos
- Re: WG Review: Domain-based Message Authenticatio… Hector Santos
- Re: WG Review: Domain-based Message Authenticatio… Pete Resnick
- Re: WG Review: Domain-based Message Authenticatio… S Moonesamy
- Re: WG Review: Domain-based Message Authenticatio… Dave Crocker
- Re: WG Review: Domain-based Message Authenticatio… S Moonesamy
- Re: WG Review: Domain-based Message Authenticatio… Dave Crocker
- Re: WG Review: Domain-based Message Authenticatio… Martin Rex
- Re: WG Review: Domain-based Message Authenticatio… Dave Crocker
- Re: WG Review: Domain-based Message Authenticatio… Martin Rex
- Re: WG Review: Domain-based Message Authenticatio… Randy Bush
- Re: WG Review: Domain-based Message Authenticatio… John Levine
- Re: WG Review: Domain-based Message Authenticatio… S Moonesamy
- Re: WG Review: Domain-based Message Authenticatio… Barry Leiba
- Re: WG Review: Domain-based Message Authenticatio… John C Klensin
- Re: WG Review: Domain-based Message Authenticatio… Dave Crocker
- Re: WG Review: Domain-based Message Authenticatio… S Moonesamy
- Re: WG Review: Domain-based Message Authenticatio… John C Klensin
- Re: WG Review: Domain-based Message Authenticatio… John C Klensin
- Re: WG Review: Domain-based Message Authenticatio… Barry Leiba
- Re: WG Review: Domain-based Message Authenticatio… John R Levine
- Re: WG Review: Domain-based Message Authenticatio… Martin Rex
- Registration policies (was: WG Review: Domain-bas… S Moonesamy
- Re: Registration policies (was: WG Review: Domain… Barry Leiba
- Re: WG Review: Domain-based Message Authenticatio… Dave Crocker
- Re: WG Review: Domain-based Message Authenticatio… Pete Resnick
- Re: WG Review: Domain-based Message Authenticatio… Murray S. Kucherawy
- Re: WG Review: Domain-based Message Authenticatio… Pete Resnick
- Re: Registration policies (was: WG Review: Domain… S Moonesamy
- Re: Registration policies (was: WG Review: Domain… Barry Leiba
- Re: Registration policies (was: WG Review: Domain… Murray S. Kucherawy
- Re: Registration policies (was: WG Review: Domain… Barry Leiba
- Re: Registration policies (was: WG Review: Domain… Murray S. Kucherawy
- [***SPAM***] Re: Registration policies (was: WG R… S Moonesamy
- Re: WG Review: Domain-based Message Authenticatio… ned+ietf
- Re: WG Review: Domain-based Message Authenticatio… Hector Santos
- Re: WG Review: Domain-based Message Authenticatio… Martin Rex
- Re: WG Review: Domain-based Message Authenticatio… Murray S. Kucherawy
- Re: WG Review: Domain-based Message Authenticatio… Stuart Barkley
- Re: WG Review: Domain-based Message Authenticatio… Randy Bush
- Re: WG Review: Domain-based Message Authenticatio… John Levine
- DMARC and ietf.org Michael Richardson
- Re: WG Review: Domain-based Message Authenticatio… Douglas Otis
- Re: WG Review: Domain-based Message Authenticatio… S Moonesamy
- Re: DMARC and ietf.org Brian E Carpenter
- Re: [***SPAM***] Re: Registration policies (was: … Barry Leiba
- Re: DMARC and ietf.org John C Klensin
- Re: DMARC and ietf.org Brian E Carpenter
- Re: DMARC and ietf.org Hector Santos
- Re: DMARC and ietf.org Miles Fidelman
- Re: WG Review: Domain-based Message Authenticatio… Eric Burger
- Re: DMARC and ietf.org Brian E Carpenter
- Re: DMARC and ietf.org Miles Fidelman
- Re: DMARC and ietf.org Pete Resnick
- Re: DMARC and ietf.org Dave Crocker
- Re: [dmarc-ietf] WG Review: Domain-based Message … Hector Santos
- Re: WG Review: Domain-based Message Authenticatio… Martin Rex
- Re: DMARC and ietf.org Martin Rex
- Re: DMARC and ietf.org John Levine
- Re: DMARC and ietf.org Hector Santos
- RE: DMARC and ietf.org MH Michael Hammer (5304)
- Re: DMARC and ietf.org Hector Santos
- RE: DMARC and ietf.org MH Michael Hammer (5304)
- Re: DMARC and ietf.org Hector Santos
- Re: DMARC and ietf.org Viktor Dukhovni
- Re: DMARC and ietf.org Hector Santos
- Re: DMARC and ietf.org John Levine
- Re: DMARC and ietf.org John Levine
- Re: DMARC and ietf.org Rich Kulawiec
- Re: DMARC and ietf.org John Levine
- Re: DMARC and ietf.org Alessandro Vesely
- Re: DMARC and ietf.org Dave Crocker
- Re: DMARC and ietf.org Brian E Carpenter
- Re: DMARC and ietf.org ned+ietf
- Re: DMARC and ietf.org Russ Housley
- Re: DMARC and ietf.org ned+ietf
- Re: DMARC and ietf.org Dave Crocker
- Re: DMARC and ietf.org Brian E Carpenter
- Re: DMARC and ietf.org Dave Crocker
- Re: DMARC and ietf.org Michael Richardson
- Re: DMARC and ietf.org Michael Richardson
- Re: DMARC and ietf.org Michael Richardson
- Re: DMARC and ietf.org Andrew G. Malis
- Re: DMARC and ietf.org Russ Housley
- Re: DMARC and ietf.org Michael Richardson
- Re: DMARC and ietf.org Brian E Carpenter
- Re: DMARC and ietf.org Brian E Carpenter
- Re: DMARC and ietf.org Dave Crocker
- Re: DMARC and ietf.org Russ Housley
- Re: DMARC and ietf.org Michael Richardson
- Re: DMARC and ietf.org John Payne
- Re: DMARC and ietf.org John Levine