On 09/22/2013 04:34 PM, Dave Crocker wrote:
On 9/16/2013 9:33 PM, Scott Kitterman wrote:
>> This is a domain-owner's choice. They take their chances with the
>> consequences of course. What we're not able to do is provide a
>> child-safe environment in which there are no trade-offs and where
>> actions have no consequences.
>
> Email authentication is only for domains that don't need mailing
> lists?
The question jumps from the specifics of DMARC (or DKIM or SPF) into a
much, much more general point. The problem with any logic that might
be trying to justify that generality here is that these bits of
technology offer very specific /kinds/ of email authentication. In
fact as we keep seeing, the distinctive nature of their specific
authentications is often missed by folk.
In other words, an assessment of any one (or even all 3) of these
doesn't permit making the more general assessment about any and all
forms of email authentication. (Nor do I read Roland's text as having
attempted that.)
On 9/22/2013 7:20 AM, Roland Turner wrote:
Then the next question is: is it worth standardizing DMARC within the
IETF? Obviously it already is a _de facto_ standard, why should we aim
at making it a _de jure_ standard as well?
I for myself have not yet found the answer to this question.
People with a longer experience with IETF process may offer a better
answer, but I'd suggest RFC 2026
<https://www.rfc-editor.org/rfc/rfc2026.txt> 4.1.1 offers an approach:
(Just for clarity, the IETF does not produce "de jure" standards. It
has no enforcement authority, which is what is meant by the term.
There seems to be quite some controversy about the terms "de jure" and
"de facto", see for example:
http://electronicdesign.com/embedded/what-s-difference-between-de-jure-and-de-facto-standards
including the Discussion that follows the article. It was not my
intention to start a discussion here on these words, so I apologize for
having used this terminology.
Note the opening paragraph to RFC 2026, which cites "voluntary
adherence". These days, it's perhaps classed as "formal", but that's
quite different.)
Please note that more and more governments create lists of standards,
which must be used by these government's agencies and organizations,
when building new IT solutions, purchasing new software etc. [1]. Quite
a number of these standards are IETF standards. See [2], [3] and [4].
With that in mind, the IETF standards become more and more 'mandatory'
(to not use the word "de jure") to use for many organizations worldwide.
I have been involved in submitting DKIM for the Dutch list 'Comply or
Explain' and I can assure you that it definitely makes a difference when
a standard is an IETF standard or not. This is due to the criteria that
are used (open standardization process, decisions by consensus, publicly
available etc.).
/Why/ a group wants to pursue IETF standardization is a meta-question
that, frankly, the IETF itself doesn't really doesn't answer, except
perhaps indirectly. Referring again to RFC 2026, the last paragraph
in Section 1.1:
"In general, an Internet Standard is a specification that is stable
and well-understood, is technically competent, has multiple,
independent, and interoperable implementations with substantial
operational experience, enjoys significant public support, and is
recognizably useful in some or all parts of the Internet."
Apart from stable and well-understood, all of these characteristics
already apply to DMARC. In addition to that I doubt whether the
individual submission with AD sponsorship will aid in improving the
understanding of the protocol, or in gaining significant public support.
So I'd say that a good motivation for seeking IETF standardization to
obtain this formal assessment. In other words, it further vets an
existing specification, as well as essentially handing change control
for the specification over to the IETF. (This latter point doesn't
actually require standardization, but it is a real side-effect.)
The good thing of standardization of DMARC within IETF, IMHO, is that in
the long term it will improve stability of the standard, which is due to
the fact that change control is handed over to the IETF. So basically
I'm in favour of standardizing DMARC within the IETF, but I hope the
chosen path will not minimize the influence that IETF can have on this
standard, as there seems to be only one 'Last Call' between the
DMARC-as-it-is-now and the IETF standard DMARC (or will there be more
moments that consensus is sought?).
/rolf
[1]
http://en.wikibooks.org/wiki/FOSS_Open_Standards/Government_National_Open_Standards_Policies_and_Initiatives
[2] http://dre.pt/pdf1sdip/2012/11/21600/0646006465.pdf (Portugese)
[3]
http://www.computerweekly.com/blogs/public-sector/2011/10/open-standards-uk-dithers-whil.html
[4]
https://lijsten.forumstandaardisatie.nl/lijsten/open-standaarden?lijst=Pas%20toe%20of%20leg%20uit&status[]=Opgenomen&pagetitle=pastoeof
(Dutch)
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
