Re: What I've been wondering about the DMARC problem

Seth Johnson <seth.p.johnson@gmail.com> Tue, 15 April 2014 11:37 UTC

Return-Path: <seth.p.johnson@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0DD11A03CA for <ietf@ietfa.amsl.com>; Tue, 15 Apr 2014 04:37:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level:
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FatqS2IR6YzO for <ietf@ietfa.amsl.com>; Tue, 15 Apr 2014 04:37:09 -0700 (PDT)
Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 45F9D1A02B2 for <ietf@ietf.org>; Tue, 15 Apr 2014 04:37:09 -0700 (PDT)
Received: by mail-vc0-f172.google.com with SMTP id la4so9173218vcb.3 for <ietf@ietf.org>; Tue, 15 Apr 2014 04:37:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=doXUhewJD52EcX8X6D96EFqCbHBsYl8kwHpVz0Tp4zM=; b=GTmA+lnHWqj1Qc3CGC7MpcpZMcveBypDcR+AM6PC8nQJqj221TbdOmtc5Q6SmLkVqx 7MThJr8GcTcfy8WkMZfAhTzhuQFG4UpCSuLd3i4DjPmw1LOz123nTAN+FcvzJEt+CE1e xC7qRNAM53KPdIkmsJvC/gJpcoiWKX0vfsfdH3/TfNCAdl54hsWAqRZbs7t1xwzSn8JE aJrWsDXj5A7ETOHyFmorAv2hKtORZx7ZBV7eBd25SmpswZ9ZcDN7WCo1pfl5YqOT/lzA dUugnA0buDVz/CCI9uSa0AdkodoSEchA7MlN5lJxsHMnZcM6pJYwfhI42ON+jysjPvUS bfWw==
X-Received: by 10.52.6.162 with SMTP id c2mr826983vda.6.1397561826218; Tue, 15 Apr 2014 04:37:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.66.6 with HTTP; Tue, 15 Apr 2014 04:36:25 -0700 (PDT)
In-Reply-To: <CAJkfFBzpVCX0KgXhid1W5JXbuUivgydnYYttPD_pB+FFxKvgww@mail.gmail.com>
References: <53499A5E.9020805@meetinghouse.net> <5349A261.9040500@dcrocker.net> <5349AE35.2000908@meetinghouse.net> <5349BCDA.7080701@gmail.com> <01P6L9JZF5SC00004W@mauve.mrochek.com> <CAKW6Ri5f5KZyJeL7RTG2T000Qd+t61KCofNmG2JZv+nKi94Uug@mail.gmail.com> <534C0078.3070808@meetinghouse.net> <CAKW6Ri6OUmxGaBOGR2hoWpDOGWsVQ9tQ2Q9ogkT5wzFhFJLBbQ@mail.gmail.com> <534C2262.1070507@meetinghouse.net> <CAL0qLwb5p_V3i-NGhKJZBeO0qKHm1xiAq1E3nYkBzVUAXkRPpQ@mail.gmail.com> <CAKW6Ri5HWMaGMa_oLKwq5fzSUzJG=jAL1qojY1i6_tibEAxq8w@mail.gmail.com> <CAL0qLwaik1ft+AcACoc+kvKtCRt_gGvM6ov7c2yj_Uwyy3drNw@mail.gmail.com> <CAKW6Ri5_=GyOQijZMM+mqAoaEQzePGysBy9WVjN9yHO1zf3d2w@mail.gmail.com> <534C8F2B.9060903@gmail.com> <CADnDZ8-DWU3ZE_WZO3vwBWvYtNZacdN9mDUof0jmfu2uKZ2poQ@mail.gmail.com> <534CB08A.8080802@meetinghouse.net> <CAJkfFBzs6JMxGSePJ6-1_=kLZRwwgwEPBD_tnh8qXPKQCmSMPA@mail.gmail.com> <CAJkfFBzpVCX0KgXhid1W5JXbuUivgydnYYttPD_pB+FFxKvgww@mail.gmail.com>
From: Seth Johnson <seth.p.johnson@gmail.com>
Date: Tue, 15 Apr 2014 07:36:25 -0400
Message-ID: <CAJkfFBycRLckXVmYRQ=TzGHyu9KOnh81okqgHfoW5SFZYC2vTA@mail.gmail.com>
Subject: Re: What I've been wondering about the DMARC problem
To: Miles Fidelman <mfidelman@meetinghouse.net>
Content-Type: multipart/alternative; boundary=20cf30334739341b8d04f71338dd
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/uiBdqkQGa4Fsp0ItmHILgSkVJ3U
Cc: IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Apr 2014 11:37:15 -0000

Jimmy Wales is, perhaps partially unconsciously, referencing this with his
point on a "culture of free expression."

Note: I am not implying in making these observations that stewardship
should be by any particular country, or any number less than the totality
for that matter -- only that we rely on systems that we have claimed for
the people to create such a context, and the international arena (and the
various systems so far presented for "checks and balances" or even simply
handoff to privatized systems to multistakeholder-ish processes that must
not be government-led or inter-governmental) does not presently support
that.


Seth


Seth


On Tue, Apr 15, 2014 at 1:29 AM, Seth Johnson <seth.p.johnson@gmail.com>wrote;wrote:

> (one insert/correction inline)
>
> On Tue, Apr 15, 2014 at 1:20 AM, Seth Johnson <seth.p.johnson@gmail.com>wrote;wrote:
>
>> The framework internationally is different.  Within free countries,
>> there's a culture of expectations that certain things will be unacceptable,
>> or will be resisted by self-respecting citizens.  That culture is based in
>> a system that guards fundamental liberties, and people are able to rely on
>> it to do so, though for private firms the limits aren't so definitive as
>> they are for the government.
>>
>> Internationally, the limits are no longer so definitive, and that's
>> because even though governments will sign onto instruments like the UDHR,
>> those rights are not actually fundamental, even if we call them that.
>> Fundamental rights have an undeniable priority within countries where they
>> have been claimed in the founding act.  On that foundation, judges are
>> always obliged to assess fundamental rights in light of the unarguable fact
>> that their priority over the government was part of the original creation
>> of the whole system.  There's no founding act in the international arena
>> that sets the priority of people over the governments of the world, so
>> rights are actually at the indulgence of governments, and governments can
>> always assert their state interests are so important that they warrant
>> impinging on fundamental liberties.
>>
>> We just saw an example of this with the Snowden disclosures.  We've been
>> through a long period where we couldn't get our government to actually do
>> much for us, or conversely to not invade our liberties -- because the
>> claims that the government was snooping pervasively were kept marginal in
>> various ways.
>>
>
> <fixed>
>
>>  But once documentation moved those considerations out of the frame of
>> "conspiracy" or zealotry by activist organizations, we suddenly began
>> seeing the appeals work again: "that's not the kind of country we are, what
>> we set up for ourselves," we started saying again.
>>
> </fixed>
>
> (eom)
>
>
>> And while it's still in a bit of denial, we are seeing a gradual grudging
>> retracting -- again, because the basis in fundamental liberties is
>> unarguably related to how we set the government up in the founding act(s).
>>
>> This is for governments and the more definitive relationship between
>> fundamental liberties and the government; that is, that they are limits on
>> the government.  The judicial system treats fundamental rights violations
>> by the government in terms of "strict scrutiny," which means a governmental
>> act that impinges on fundamental liberties must serve a compelling state
>> interest, and even then, must be narrowly tailored.  For private parties,
>> it's more that the working system creates a culture of people who enjoy
>> this ability to live in a system where these limits on the government are
>> actually at play -- and that's a context that more easily supports
>> attitudes of resistance and pushback from people who see their dignity
>> invaded by private firms that do excessive things.
>>
>> None of this exists internationally.  The best you can place some faint
>> hope in is that national/state interests will be "balanced" against rights
>> expressed in a treaty.  That's a totally different standard from strict
>> scrutiny.  And relying on even that is unrealistic, because governments
>> have the "epistemic priority" -- and so they often, quite freely, simply
>> claim their sovereignty and act according to what they claim is an
>> important state interest.  They simply have that wherewithal at the
>> international level.
>>
>> All of which is preface to say that the result is that governments and
>> private parties (and corporations, who have concocted trans-state "rights"
>> through judges acting to fill in gaps in the law over the years) know the
>> rules don't apply the same way in the international arena.
>>
>> In fact, given the transitions currently being attempted, whether with
>> the IANA functions or "Internet governance" more generally, Yahoo's DMARC
>> behavior may really be a sort of dry run, testing the ability to take
>> advantage of the moves to put concerns related to the operation of the
>> Internet into an international frame, which folks are pushing for without
>> really recognizing what's missing in that context, what they have sort of
>> unconsciously relied on and taken for granted within systems of checks and
>> balances that are rooted solidly at national levels.
>>
>> The checks and balances don't work the same internationally, and that
>> circumstance can be exploited (and is, all the time, these days).
>>
>> People might push back, but they don't really do so with the same sense
>> of fundamental recourse assured by a solidly rooted system.  And Yahoo
>> knows this.  And we're just shoring that up by saying we can just switch
>> multistakeholderism to the international arena.
>>
>> (All of this is aside from other factors not generally acknowledged --
>> that there are actually inter-governmentally endorsed frames in place that
>> will have a bearing on IANA type functions or domain names (Names, Numbers,
>> Addresses and Identifiers/NNAI, in the ITU parlance), regardless of the
>> fact the IANA transition defines itself as non-governmentally-led or
>> inter-governmental.  Looking at this in that light, Yahoo may be forcing
>> the creation of a context in which it can start to exercise those
>> frameworks.)
>>
>>
>> Seth
>>
>>
>> On Tue, Apr 15, 2014 at 12:07 AM, Miles Fidelman <
>> mfidelman@meetinghouse.net> wrote:
>>
>>> Important business users, with Yahoo accounts?  Is that a joke?
>>>
>>> Just as a reference point:
>>> - I just logged into my long-unused, and un-publicized yahoo email
>>> account - and the only thing there is Spam
>>> - the lion's share of mail that comes from yahoo, to my normal account,
>>> is spam
>>> - unfortunately, a good number of people on the email lists that I run
>>> seem to have Yahoo mail accounts - and a good amount of the mail that comes
>>> from those accounts is... you guessed it... spam - because yahoo email
>>> accounts seem to be vulnerable to cracking and exploitation
>>>
>>> So, just who is it that Yahoo is protecting here?
>>>
>>>
>>> Abdussalam Baryun wrote:
>>>
>>>> The standard procedure in many companies is business scoped, so they
>>>> identify important business users and the business returns/damages. Most
>>>> important users are not IT experts, and use email for personal exchange.
>>>> Yahoo has signed an agreement with users to protect its information system,
>>>> so all seem to follow that, and all users are free to stop using services
>>>> or not.
>>>>
>>>> AB
>>>>
>>>> On Tuesday, April 15, 2014, Brian E Carpenter wrote:
>>>>
>>>>     I thought that standard operating procedure in the IT industry
>>>>     was: if you roll something out and it causes serious breakage to
>>>>     some of your users, you roll it back as soon as possible.
>>>>
>>>>     Why hasn't Yahoo rolled back its 'reject' policy by now?
>>>>
>>>>     Regards
>>>>        Brian
>>>>
>>>>
>>>
>>> --
>>> In theory, there is no difference between theory and practice.
>>> In practice, there is.   .... Yogi Berra
>>>
>>>
>>
>