Re: [iucg] Last Call: Modern Global Standards Paradigm

John C Klensin <> Mon, 13 August 2012 14:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 00D4B21F853F; Mon, 13 Aug 2012 07:50:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.587
X-Spam-Status: No, score=-102.587 tagged_above=-999 required=5 tests=[AWL=0.012, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id C5XOIXWouyXx; Mon, 13 Aug 2012 07:50:50 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1D1BE21F846E; Mon, 13 Aug 2012 07:50:39 -0700 (PDT)
Received: from [] ( by with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <>) id 1T0vsS-000Eju-Fj; Mon, 13 Aug 2012 10:44:20 -0400
Date: Mon, 13 Aug 2012 10:50:25 -0400
From: John C Klensin <>
To: Alessandro Vesely <>
Subject: Re: [iucg] Last Call: Modern Global Standards Paradigm
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Cc: ietf <>, internet users contributing group <>
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Aug 2012 14:50:51 -0000

--On Monday, August 13, 2012 11:11 +0200 Alessandro Vesely
<> wrote:

> FWIW, I'd like to recall that several governments endorse IETF
> protocols by establishing Internet based procedures for
> official communications with the relevant PA, possibly giving
> them legal standing.  Francesco Gennai presented a brief
> review of such procedures[*] at the APPSAWG meeting in Paris.
> At the time, John Klensin suggested that, while a more
> in-depth review of existing practices would be appreciated,
> the ITU is a more suitable body for the standardization of a
> unified, compatible protocol for certified email, because of
> those governmental involvements.
> [*]


Please be a little careful about context, as your sequence of
comments above could easily be misleading.  

For the very specific case of email certified by third parties,
especially where there is a requirement for worldwide
recognition (the topic of the talk and slides you cited), the
biggest problem has, historically, been an administrative and
policy one, not a technical standards issue.  We know how to
digitally sign email in several different ways -- there is
actually no shortage of standards.   While additional standards
are certainly possible, more options in the absence of
compelling need almost always reduces practical
interoperability.  Perhaps the key question in the certified
mail matter is who does the certifying and why anyone else
should pay attention.  The thing that makes that question
complicated was famously described by Jeff Schiller (I believe
while he was still IETF Security AD) when he suggested that
someone would need to be insane to issue general-purpose
certificates that actually certified identity unless they were
an entity able to invoke sovereign immunity, i.e., a government.

For certified email (or certified postal mail), your ability to
rely on the certification in, e.g., legal matters ultimately
depends on your government being willing to say something to you
like "if you rely on this in the following ways, we will protect
you from bad consequences if it wasn't reliable or accurate".
If you want the same relationship with "foreign" mail, you still
have to rely on your government's assertions since a foreign
government can't do a thing for you if you get into trouble.
That, in turn, requires treaties or some sort of bilateral
agreements between the governments (for postal mail, some of
that is built into the postal treaties).  

International organizations, particularly UN-based ones, can
serve an important role in arranging such agreements and
possibly even in being the repository organization for the
treaties.  In the particular case of certified email, the ITU
could reasonably play that role (although it seems to me that a
very strong case could be made for having the UPU do it instead
by building on existing foundations).

But that has nothing to do with the development of technical
protocol standards.  Historical experience with development of
technical standards by governmental/legislative bodies that then
try to mandate their use has been almost universally poor and
has often included ludicrous results.

A similar example arises with the spam problem.  There are many
technical approaches to protecting the end user from spam
(especially malicious spam) and for facilitating the efforts of
mail delivery service providers and devices to apply those
protective mechanisms.  Some of them justify technical standards
that should be worked out in open forums that make their
decisions on open and technical bases.  But, if one wants to
prevent spam from imposing costs on intended recipients or third
parties, that becomes largely a law-making and law enforcement
problem, not a technical one.  If countries decide that they
want to prevent spam from being sent, or to punish the senders,
a certain amount of international cooperation (bilateral or
multilaterial) is obviously going to be necessary.   As with the
UPU and email certification, there might be better agencies or
forums for discussion than the ITU or there might not.  But it
isn't a technical protocol problem that the IETF is going to be
able to solve or should even try to address, at least without a
clear and actionable problem statement from those bodies.

I do believe that the ITU can, and should, serve a useful role
in the modern world.  The discussion above (and some of the work
of the Development and Radio Sectors) are good illustrations.
But those cases have, as far as I can tell, nothing to do with
the proposed statement, which is about the development and
deployment of technical protocol standards.