RE: Let's talk (was: DMARC: perspectives from a listadmin of large open-source lists)

["MH Michael Hammer (5304)" <MHammer@ag.com>]

From: Dave Cridland [mailto:dave@cridland.net]
Sent: Wednesday, April 16, 2014 2:24 PM
To: S Moonesamy
Cc: MH Michael Hammer (5304); ietf@ietf.org Discussion
Subject: Re: Let's talk (was: DMARC: perspectives from a listadmin of large open-source lists)

On 16 April 2014 18:26, S Moonesamy <sm+ietf@elandsys.com<mailto:sm+ietf@elandsys.com>> wrote:
Speaking about career enhancing moves, common sense dictates that it is to be assumed that the individual is the mouthpiece of the organization (I am not inferring that you are).  In my opinion reviews from individuals affiliated with the companies listed on the web page might not fit within the objectivity guidelines.  It may be difficult to find an external reviewer if Dave Cridland does not wish to donate his intellectual property rights.

MH: Reviews from 3rd parties have been always welcome and were specifically asked for from a number of people unaffiliated with dmarc.org. There were external reviews (although it would have been nice to see more) from various people. I note that Jim Fenton just posted to the dmarc-ietf list about many of his suggestions being incorporated.

With regard to mouthpieces, there are some people who clearly are and other people who are not. It’s generally not too difficult to figure out the difference between the two.

I'm actually quite happy donating IPR; I do it all the time. The XSF policy on copyright is an assignment one, for example.

I have no idea what the IPR policy is for DMARC, it has been developed outside the IETF process, and changes to it from the IETF are not welcome.

MH: The IPR policy for DMARC falls under the OWF – All of the participating organizations have signed agreements for this. Anyone can contribute as an individual but the participating organizations have specific contractual obligations. There are more details on the OWF basis for anyone interested in participating or contributing through the dmarc-discuss list at http://www.dmarc.org/note_well.html.  Considering that there were multiple attempts to hand the DMARC spec over to the IETF I think the last part of your statement is a stretch. There were constraints/considerations that I think could have been worked out, but for now that is water under the bridge.

Speaking only for myself because I’m not any ones mouthpiece, I believe that any contributions which improve the technical rigor of the specification are valued and are of benefit to the community in the larger sense. If I believed otherwise I would not be participating.

So from my perspective, it's like saying "Hey, we'd like you to spend time and effort on reviewing this so we can tell you why we're not going to make any changes".

MH: I respect your perspective Dave. I can only point to the experience of others that have taken the time and effort and found their suggestions incorporated. Because the participating organizations are bound by OWF and the participation agreement, there is an obligation to follow certain processes. I will say that from my perspective it was never anticipated that we would be going this long without a handoff to IETF. I’m not looking to debate whether it should or shouldn’t be or how it might be at this point, I’m only trying to provide some perspective into why the DMARC process is currently the way it is.

Remember (understand?) that this (DMARC) started because various participants had private bilateral agreements regarding policy assertions and reporting. When I first started working on my implementation (and operational changes) I had to ask various mailbox providers to provide feedback on our mail and authentication failures, etc. I was accommodated to various degrees because I/my organization was perceived as aggressively moving to combat abuse. Most of the providers that responded had to make a special effort to provide that sort of information and the format and what was included varied from provider to provider. It was also easier for some because we had partnership or other contractual agreements already in place that addressed privacy concerns. I would get a slice of data from one provider and spend an incredible amount of time trying to get it to mesh with a different slice of data from someone else. Once we implemented (strong assertions) for SPF and DKIM, some of the folks working on validation implementations used our mail streams as a reference case as they developed their validation implementations (and remember, this was pre-DMARC and even before DKIM was finalized). As participants in the bilateral efforts compared notes and experiences it was natural to try and standardize the interactions between all the various players. And once that occurred there was a desire to make it an open standard rather than a private club because there was a belief that it was beneficial to the wider community – thus DMARC. There were other pre-DMARC efforts that did not produce any visible outcome. Some of them I participated in and others I did not because I felt they were unlikely to be successful. So at the end of the day, if your perspective is that it isn’t worth your time and effort,  I can’t think of anything I or anyone else might say that would change your mind.

Mike