Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists

[Miles Fidelman <mfidelman@meetinghouse.net>]

Warren Kumari wrote:
> On Sat, Apr 12, 2014 at 4:30 PM, Dave Crocker <dhc@dcrocker.net> wrote:
>> On 4/12/2014 12:56 PM, Miles Fidelman wrote:
>>> - DMARC.org defines the "DMARC Base Specification" with a link to
>>> https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/ - an IETF
>>> document
>>
>> While the Internet-Draft mechanism is operated by the IETF, it is an open
>> mechanism and issuance through it carries no automatic status, particularly
>> with respect to the IETF.
> It seems that folk often miss this particular point (see the recent
> drama about draft-loreto-httpbis-trusted-proxy20). Pointing at the
> boilerplate, explaining the fact that anyone (with an Internet
> connection and an XML editor) can submit an ID, etc doesn't seem to
> work. I considered pointing at, well, anything by Terrell, but instead
> decided to publish a draft :-P
>
> http://tools.ietf.org/html/draft-wkumari-not-a-draft-00
>

Well yes, but that's the "fine print."

Who ever reads a 20-page shrink-wrap license - and he jury is still out 
as to when those apply or can be ignored.  And then there's a "warrant 
of merchantability" that vendors can be held to despite all kinds of 
disclaimers buried in a license.

When the organization that coordinated and promulgated DMARC:
- describes their efforts as "their common goal was to develop an 
operational specification to be introduced to the IETF for standardization
- refers to the only defining document as a "Base Specification" and 
links to a document, on the IETF's webserver, with an IETF document number

It's kind of easy for the uninitiated to draw the conclusion that it's a 
standards-track IETF standard.

Then, when Yahoo defends the havoc they've wrought with statements like 
(they) "designed and built something called DMARC 
<http://www.dmarc.org/>, or Domain-based Message Authentication, 
Reporting and Conformance. Today, 80% of US email user accounts and over 
2B accounts globally can be protected by the DMARC standard." - with a 
pointer to dmarc.org - and from there to an IETF webserver and document 
-- it sure is easy for the general community to draw the conclusion 
"Yahoo implemented a vetted IETF standard - and it broke all the mailing 
lists I'm on."  And it sure is easy for someone to draw the conclusion 
that the fault lies with the broken standard, not with Yahoo.

You have to look hard to figure out who really broke what.  And (IMHO) 
one would not be wrong to draw the conclusion that IETF dropped the ball 
in its role as the Internet standards body - if only in it's relative 
silence (a disclaimer in the fine print does not constitute exercising 
one's professional or institutional responsibilities).

ISO, for example, has processes for complaining about mis-use of their 
standards, and about misrepresentation of being certified against a 
standard.  Perhaps it's time for IETF to institute similar policies and 
proceedures - beyond:
"it's not actually a standard - we just provided space for the document"
"it's a voluntary standard, we're not responsible if it's not 
implemented properly, or not deployed properly"

We all claim that we don't want governments to run the Internet - but 
when our voluntary, cooperative mechanisms drop the ball - that's the 
end result.  (Along with lots of litigation.)

Just one man's opinion, of course.

Miles Fidelman



-- 
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra