Scott Kitterman wrote:
On Monday, April 14, 2014 10:14:19 Murray S. Kucherawy wrote:
On Mon, Apr 14, 2014 at 9:02 AM, Miles Fidelman
<mfidelman@xxxxxxxxxxxxxxxx>wrote:
Then again, the current DMARC debacle presents a cautionary tale of more
ad hoc approaches.
DMARC's proponents tried to come to the IETF to form a working group so
that it could undergo the rigors of standards development, and thus not be
as "ad hoc" as you're describing. It was not accepted, on the basis that,
in essence, the work was already done so there's nothing for the IETF to
contribute.
(If I've mischaracterized this, I'm happy to be corrected.)
If that's true, it's my impression it's true because the DMARC proponents
insisted any possible working group charter preclude meaningful changes to the
base specification because the work was already done.
Personally, I was kind of OK with the current plan, although I thought it far
from ideal because I thought there was a clear understanding among the DMARC
proponents about what kinds of domains p=reject was appropriate for (not ones
with real users that commonly use use cases for which p=reject is
problematic).
Now that that clearly isn't the case, I think the plan needs to be revisited.
It it was clearly understood about when p=reject is/is not appropriate -
and someone (who's corporate name begins with Y) misapplied it - is this
not akin to the propagation of corrupted routing data, and meriting a
comparable response from all concerned? If done intentionally, with
knowledge of the potential consequences - does this not tread into the
grounds of a DDoS attack, and merit comparable response? And if the
perpetrator does not act to roll back their action - does that not merit
a strong response?
I believe that there are laws against "knowingly caus[ing] the
transmission of a program, information code, or command, and as a result
of such conduct, intentionally causes damages without authorization to a
protected computer” (That's from the Computer Fraud and Abuse Act.)
And.. just for the heck of it.. I reported this to CERT. The impact on
the systems I run has been far higher than, say, the Heartbeat
vulnerability. Kind of interested to see what kind of response I get.
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra