On 7/6/20 6:15 PM, Douglas E. Foster wrote: > About discarding From alignment: > DMARC has been sold to big corporations as essential to defending > their brand identity. In response, they pay serious money to keep > Valimail and its competitors in business. I see no way that we can > put forward a proposal that will put Valimail and its friends out of > business, while incurring the wrath of C-Level executives and legal > teams at Fortune 500 companies. Not that I have any of those people > on speed dial, so maybe someone can prove me wrong. But I have been > surprised that one of the DMARC reporting companies is not listening > to this part of the discussion and having alarm bells.
While deployment is definitely a factor for IETF standardization decisions, I would be very surprised to see IETF standardize a specification that does not provide the benefits it claims to provide just because it has been sold to big corporations. IETF doesn't need to share in the wrath of those C-level executives. Whether From alignment does or does not defend brand identity is a topic for a different discussion thread. I was trying to avoid muddying this discussion with it. > > About credible mediators: > You are right that if an inbound email gateway believes a Mediator is > credible, then all that is necessary is for the Mediator to prove his > own identity. But what is the mechanism by which a Mediator obtains > the trust of the email gateway? And by what mechanism does the > Mediator know that the email gateway has determined it to be credible? My proposal is largely a simpler (I think) alternative to ARC for assessing transformations. ARC also requires that the recipient's verifier have some trust relationship with the mediator, perhaps through an as-yet undefined reputation system. Murray's reversible transforms proposal is yet another approach that does not require trust to the same degree. > > One option is to provide so much information in the email message that > the email gateway will grant trust on the fly. Murray's approach > has appeal because, especially when coupled with appropriate LIST-* > and RESENT-* headers, it provides all of the information needed for a > decision to be made. ARC has less appeal because it provides just > enough information for the email gateway to detect that something > deliberate was done, but not much more. Researching the credibility > of the list would need to occur out-of-band using LIST-* headers as a > starting point. But there is a larger problem. Even after the > gateway decides the Mediator is credible, the Mediator is ignorant of > the gateway's decision, so the Mediator is unable to take advantage of > that decision. > > The other option is for the MLM and the Email gateway administration > to negotiate credibility in advance, with the subscriber acting as > sponsor for the discussion. I'm not clear on which "gateway" you're referring to: the sender's gateway? But "researching the credibility of the list" sounds like the same problem as determining whether a mediator is credible, it's just being done by a different party. -Jim
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc