On Wed, Apr 9, 2014 at 8:04 PM, Miles Fidelman <[email protected]>wrote: On 4/9/2014 7:25 PM, Miles Fidelman wrote:
> Yahoo! is choosing to apply the technology for usage scenarios that have >> long been known to be problematic. Again, they've made an > > In fact... it is too generous to say "known to be problematic". Basic functionality is seriously and utterly broken --- that DMARC doesn't have a good answer for such situations, is a major indicator of its immaturity, in the sense that it is "Too specific" a solution and cannot apply to e-mail in general. If it were mature: a mechanism would be provided that would allow mailing lists to function without breaking changes such as substituting From:. An example of a solution would be the use of a DKIM alternative with not a single signature for the entire message, but only partial signing of parts of the message: specifically identified headers and/or specific body elements, to validate that the message was really sent and certain elements are genuine ---- and certain elements were modified by the mailing list. > informed choice. Whether it's justified and whether it was the right >> choice is more of a political or management discussion than a technical one. >> > The technical issue, is that the immaturity of the related specs. limits the decisions are available for a particular domain ---- so, essentially, if you have certain kind of user traffic: you have to incur technical issues with mailing lists, or forego using DMARC. In other words: much as you would like to dismiss as purely a managerial decision ---- the decisions available to be made are entangled with the limitations of the technical options that are available for mitigating spoofing, AND the public's understanding thereof. > >> In technical terms, DMARC is reasonably simple and reasonably well >> understood and extensively deployed. >> > I would say reasonably simple. Only well-understood by a very limited fraction of the population of mail operators. Not widely deployed; particularly on domains serving end user mailboxes. > >> For most discussions, that qualifies as 'mature'... >> >> > Especially after reading some of the discussions on the DMARC mailing list > where it's clear that issues of breaking mailing lists were explicitly > ignored and dismissed. +1. Common use case ignored and dismissed, is a pretty convincing indicator of a lack of maturity with regads to the spec. > Miles Fidelman > > > > -- > In theory, there is no difference between theory and practice. > In practice, there is. .... Yogi Berra > > > -- -Mysid
