Dave Crocker wrote:
On 4/12/2014 8:17 AM, Miles Fidelman wrote:
Dave Crocker wrote:
On 4/12/2014 5:29 AM, Miles Fidelman wrote:
1. DMARC was developed by an ad hoc industry consortium. It is
already deployed well enough to cover an estminated 60% of the world's
email traffic. As such, it's status with the IETF is obviously not a
gating factor. So the "not even an RFC" has some formal import, but
limited practical import.
So what happens to an infrastructure that is operated and governed by
consensus, when a few large players can make major changes to the
infrastructure while ignoring issues that don't directly effect their
interests?
That's an excellent question. Worthy of discussion.
Perhaps oddly, however, it is almost irrelevant to the work of the
IETF, which is creation of technical specification.
Your question is about enforcement, not about creation.
That's an operations issue.
3. A specification cannot be responsible for operators that choose to
deploy something in a way that creates problems documented in the spec.
No. But a standards process can. (E.g., not just anybody can be domain
registry, or enter records into the root nameservers).
That's governed by operations organizations, not the IETF.
Well, yes and no.
It's fairly typical in the standards world for one organization to set
standards, and designate a "registration" authority to administer
aspects of a standard.
In the current discussion about the NTIA/ICANN transition, two examples
of this have come up, and there are 100s more:
- ISO defines the numbering scheme for bank card and credit card
numbers, ANSI maintains the "Issuer Identification Database"
- ISBN numbers are similarly standardized by one body, with delegated
authority for issuing the numbers
(ANSI by the way, is a voluntary, non-profit, originally formed by a
bunch of engineering societies. ISO is a consortium of ANSI and other
national level standards bodies.)
Standards bodies also commonly define certification requirements and
mechanisms, accredit certification bodies in various ways, and establish
remedies for false representation of certification status.
In the case of Internet protocols, IETF is the primary standards body,
and through various MOUs has designated registration authorities for
various things (mostly IANA).
So yes, IETF has some governance authority (technical, moral, and legal)
in this matter, if it chooses to exercise it.
At the very least, it strikes me that the IETF should be visibly and
publicly chastising the "ad hoc industry consortium that developed
DMARC" and those who deployed it - as being exceptionally bad actors
who:
- roundly ignored issues of major impact in developing the standard
- have deployed it in ways that are causing widespread havoc
- are rather pointedly ignoring that havoc (have you seen anybody from
Yahoo responding?)
I believe the IETF has never done such a thing. I'm pretty sure it
shouldn't.
Well - arguably, the IETF (or members thereof) were pretty vocal when
the TCP/IP vs. ISO wars were going on.
The more a technical organization delves into public policy and
politics, the less it is a technical organization. Policy and
politics issues come to dominate.
At the least, they confuse perception of the organization.
Well, IEEE and ACM both have policy arms. IEEE is both a standards
maker and very visible on some policy issues - including some that are
technopolitical. (Granted that IEEEs standards efforts are relatively
removed from their policy efforts).
So while there well might be worthy statements and/or actions to be
taken, when a major actor introduces major disruption, that's not a
task for the IETF.
Which then begs the question: Who's task is it?
Miles
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
