Ned Freed writes: > The scenario you propose makes no sense:
True. > If Yahoo! or whoever does what you describe, their messages would > in effect have no attached signatures until the receiving systems > out there upgrade their software to handle the new critical tags. No, they'll have effective signatures. They'll use "v=1" signatures as well during a transition period (they work well enough to be used for a while ), and then do what they're doing now: tell their users to yell at recipients who don't handle vendor-specific "V=2" signatures to get their act together and "be part of the solution". > You can't count on much from large players, but I think you can > count on them not intentionally screwing themselves over. I don't see the strategy above as screwing a large player more than publishing p=reject already does. They did that. > > By design, DMARC renders that requirement inoperative, and a > > "p=reject" policy is intended to render messages unprocessable exactly > > when a particular DKIM-signature is invalid. DKIM may not need to > > worry about it, but we do. > > You're missing the point. We're *changing* the design here so things no > longer work this way by associating this with a version bump. And we've > already confirmed that a significant number of implementations ignore > v=2 signatures. Changing the design of what? I wish we could change the design of DMARC[1], but I don't think that is going to happen. DMARC is a private agreement so far completely out of IETF control, it is known to suck in some ways for third parties, and the big players are doing those sucky things anyway because it accomplishes their goals without hurting them very much. Changing DKIM is not going to change DMARC as far as I can see. DMARC may adopt new features of DKIM, but only as it serves the consortium's purposes, and they will surely continue to apply the "p=reject" override to any "v=2" DKIM signature that fails (generalized) identity alignment or is invalid. No? All the evidence I see says that even if the exact scenario I propose is unlikely to occur, it's possible, maybe even quite probable, that the big players will use the possibility of registering values and imposing criticality to serve their own purposes. You describe the same kind of thing happening in the past -- I understand that "that was then, this is now (and different)", but this "difference" is all hypothetical. The fact is that fragmentation does occur under some circumstances. Footnotes: [1] In some ways. Mostly I think it does what it's supposed to do quite well, and I don't think I'd even change "p=reject" except to add an explicit caveat that publishing "p=reject" means that the Author Domain must assume *full* responsibility for lost or undelivered mail in the current Internet environment. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
