Hi Mike,
At 20:44 15-04-2014, MH Michael Hammer (5304) wrote:
I think this conflates two different issues:
Ok.
1) Cost to participation. While I may work for a larger
organization, much if not most of my participation is in addition to
my other work obligations. I know of other folks in a similar
situation. I participated before I worked at a large organization, I
participated when I had my own small business and I may choose to
participate in the future if my circumstances change. There are
other people whose occupation consists solely of standards work. I
don't have any meaningful answer to your comment. Quite frankly, I'm
asking myself why I should personally continue to engage with the
IETF process at all. It's not as if my employer is demanding it. Do
I really want to be engaging with IETF after a 16 hour day working
on other stuff? It must be masochism.
One of the reasons to participate in the IETF is self-interest. The
IETF standard for IETF participants is attending three out of five
meetings. A small business cannot afford that cost. The list of
volunteers is at https://datatracker.ietf.org/nomcom/ann/58250/ How
many of the people are from small businesses?
2) Getting ignored or minority view. I don't believe it is simply a
function of company size - at least for the WGs I've participated
in. I'd assert that at least in the email/email auth WGs it's more a
function of long term participants, many of whom have calcified
positions (across the spectrum). I can think of at least one person
from a relatively large company who gets ignored a fair bit, so size
is not necessarily a factor. I've been in the minority view on
various issues in the WGs I've participated in. That's life - I
chose Betamax. To a certain extent it's also a function of who is
wrangling the WG and how they manage the WG. I don't really think
about whether a person is with a large company, a small company or
an individual - I'm more interested in the quality and practicality
of their ideas. I'm more of a security and operations guy and that
colors my perspective.
The usual explanation for the ways things are is "That's
life". That's what gets you (used in a general sense) calcified
positions, specifications that takes years to be published and other
IETF problems.
I'm not sure if you are looking for a response to Dave Cridland's
message in the context of DMARC specifically. As I noted when I
first posted to this group, I don't speak on behalf of DMARC and my
I wasn't looking for a response as I have been staying out of DMARC
discussions.
comments are on a personal basis. When DMARC came along, as a
sender I only had to publish a p=reject policy. We (my employer)
had done the heavy lifting in terms of changing our mailing
practices back in 2007 before there was a dmarc.org or a spec. I
had some concerns about a wide open WG but wasn't necessarily
against it. My concerns were more along the line of how much of a
grind it might be on a personal basis (after my experiences with
other WGs). I do recognize that others made a significant
investment in implementing running code to make things work. I
think a lot of people underestimate what was involved and overly
discount concerns about radical modifications to the spec. When I
did my original effort in 2007 it was a five month project
involving quite a few people to change how our websites handled
mail to accommodate strong authentication for SPF and DKIM. I'll
also point out that the interoperability event for DKIM didn't take
place until 2008 which meant I was somewhat going out on a limb.
I'm sure that for others to do their DMARC implementations on the
mailbox provider side several years later it was a larger effort
than what I went through. My personal belief is that nobody was
looking to get an IETF rubber stamp. Perhaps the concerns might
have been communicated differently and perhaps there might have
been a little less skepticism as to intent.
Rewriting a specification from scratch is rather silly if there isn't
a good reason to do that. In my opinion the purpose of a working
group is to review the drafts and send work of acceptable quality to
the Area Director. It is possible to take into consideration the
constraints of the various parties if there is a public
explanation. At the same time the parties could consider that
hinting for an IETF rubber stamp is going to be problematic.
I'll highlight a comment from Stephen J. Turnbull:
"It might help if you gave us the annotated version of what you do like
about it, instead of telling us that everything we've been doing for
20 years is wrong, and that we're crazy to object to the violation of
the most fundamental and ancient email RFC (not to mention violating
copyright law in every Berne Convention signatory) by corrupting the
authorship information of each post we process."
If it is difficult to explain in English words, show the source
code. It is worthwhile to look into the interoperability issues. It
may not be possible to solve all of them quickly. That's not a
significant problem as long as a working group does not break too much stuff.
So on to the mail list issue. On one level I want to say not my
issue. I don't publish p=reject for any domains with users that send
to mail lists so as I've said, my ox isn't getting gored. There were
plenty of discussions in the DKIM working group about 1st party
signatures vs 3rd party signatures and trust and reputation and who
should do what and who wouldn't do what. At the end of the day the
can was kicked down the road. So here we are. I don't have any
answers for this group. I've already stated in a previous post how I
think it will play out. I'm leaning towards just walking away and
spending cycles on something as that is more productive from my
perspective. The juice just isn't worth the squeeze.
It's okay to say "not my issue". It is an issue if most people in
the group say "not my issue". If there isn't any progress on the
issue the note to the Area Director could be "the working group does
not have the competence to address this issue".
I don't think you are likely to see someone speaking up in that
particular way. "My boss has bad ideas" posted to a public forum is
not a career enhancing move even if phrased politely. Those sorts of
issues would likely get resolved internally or the person would
likely choose to move to another roost if it is a significant issue.
That's just common sense. At least for me, in the WGs I've
participated in, I've had a lot of latitude because the issues are
technical and it is more me keeping management apprised of what is
happening and what I'm doing than me getting directives. I can't
speak for others or other organizations. I don't have anything to
sell or market so I have no reason to use marketing language. My
goal is to protect end users from maliciousness that tries to
leverage our domains and brands - things like SPF, DKIM and DMARC
help do that in conjunction with other efforts such as takedowns,
blocking, prosecutions, etc. I also get involved in other anti-abuse
efforts that have nothing to do with my employer - because I believe
it is the right thing to do. Standards are just one piece of the puzzle.
Speaking about career enhancing moves, common sense dictates that it
is to be assumed that the individual is the mouthpiece of the
organization (I am not inferring that you are). In my opinion
reviews from individuals affiliated with the companies listed on the
web page might not fit within the objectivity guidelines. It may be
difficult to find an external reviewer if Dave Cridland does not wish
to donate his intellectual property rights.
Takedowns, blocking, prosecutions, brand protection, etc. are
non-technical issues. These issues could be discussed if it helps
the average participant to understand the puzzle. Past DKIM and SPF
discussions could be listed under "gives the WG Chair(s) a headache".
Is this work doable? I don't know. Would I put effort to solve
Company X is breaking the internet? No, as it is an expense which I
cannot afford. Did I learn anything from the discussions on the
previous topic? Yes. :-)
Regards,
S. Moonesamy