Comments in-line. > -----Original Message----- > From: ietf [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Hector Santos > Sent: Monday, July 21, 2014 4:24 PM > To: ietf@xxxxxxxx > Subject: Re: DMARC and ietf.org > > Mike, > > There is no "pretending" here. We actually IMPLEMENTED and DEPLOYED the > consensus built MAILING LIST recommendations and it works. > The fact that you implemented and deployed does not mean that there is a general consensus in the IETF sense. > So I disagree 100% with the erroneous suggestion there has been "no > consensus at all." To suggest there is no guidelines whatsoever has been the > real disservice being promoted. Its not true. > Guidleines != consensus. > It doesn't matter if its DMARC or ADSP. It the same design guidelines and if > you actually implemented it as list developer, you might see that its really > that simple. > The devil is always in the details. ADSP!=DMARC. > The old argument that List developers are too old to change doesn't wash > anymore and in reality, once you roll up your sleeves and implement the > consensus built suggestions, you will see it really has nothing to do with list > services. It has to do with the VERIFIER. > Even John isn't arguing that list developers are too old to change. He is questioning whether there is a consensus as to what changes or sets of changes are appropriate. The Verifier is the driver of the changes but even representatives of (some) large mailbox providers have indicated that as Verifiers they are interested in how problems in this space might be addressed. As a 3rd party mailer, I got my organization to make changes in 2007 that accommodate issues in this space. While I think the changes we made are the optimal long term solution (including for MLMs), I recognize that there IS NOT A CONSENSUS and that others have a preference for other approaches. It may be that the community settles on a single "best" approach or that it recognizes several alternative approaches. > So in short, I take slight offense to your suggestion that I have no > understanding of the total issues involved as a product developer, its product > offerings and also addressing the support needs of its customers which > represents a wide horizontal spectrum of applied list needs. There are > solutions and I speak as a developer of a commercial integrated mail list > server product line: > I never said that you don't have an understanding of the issues involved. I did say that you are incorrect when you claim that there is a community consensus on how mailing lists should address problems in the context of DMARC assertions by domains. I do not see a rush of others posting to support your assertion and I do see evidence (previous discussions on this very list within the last 4 months) that contradict your assertion. > http://www.santronics.com/products/winserver/ListServe.php > > Note. This has nothing to do we have a "big data" problem (how to scale > signer authorization). Its a serious problem. But the consensus built > guidelines provided are solid and necessary for any solution development. > You still need to honor the policies at the mail entry level. > > -- > HLS > > On 7/21/2014 3:18 PM, MH Michael Hammer (5304) wrote: > > John is correct. There is no consensus on how mailing lists should deal with > DMARC problems, notwithstanding what rfc6377 says about DKIM. ADSP > never gained enough real world implementation for there to be a meaningful > consensus. One need only look at the discussion threads on the IETF (and > other) list(s) following the publication of DMARC p=reject by several large > mailbox providers to see the diverse range of views. > > > > While I disagree with John on some things, in this case he is 100% dead on. > To pretend otherwise is to do a disservice to the mailing list community and > the mail community at large. > > > > Mike > > > >> -----Original Message----- > >> From: ietf [mailto:ietf-bounces@xxxxxxxx] On Behalf Of Hector Santos > >> Sent: Monday, July 21, 2014 3:10 PM > >> To: ietf@xxxxxxxx > >> Subject: Re: DMARC and ietf.org > >> > >> > >> On 7/20/2014 10:51 PM, John Levine wrote: > >>>>> I thought the preferred solution was to rewrite the From for those > >>>>> users only. > >>>> > >>>> I think that remains controversial. ... > >>> > >>> There is no consensus at all on how mailing lists should deal with > >>> DMARC problems. > >> > >> Not quite John. > >> > >> The specific DMARC protocol aside, with any author domain policies in > >> general, whether it was SSP, ADSP or any DKIM author domain signing > >> authorization protocol (DSAP), there was a consensus RFC built document > >> that provided the basic guideline for mailing list operations in dealing with > >> restrictive DKIM signing policies. It used ADSP as the "DSAP" of the day. > But > >> replace ADSP with DMARC and the design recommendations apply: > >> > >> RFC6377 DomainKeys Identified Mail (DKIM) and Mailing Lists > >> http://tools.ietf.org/html/rfc6377 > >> > >> And overall, the basic guideline was to support the framework, not ignore > it > >> as it never existed and instead pushed for breaking the security protocol. > >> > >> As a LIST developer and implementor of the "DSAP" protocol, it was > simple: > >> > >> 1) Deny Restrictive Domains from Subscribing > >> 2) Deny Restrictive Domains from List Submission > >> 3) Pottery Principle "You break it, you own it" - Resign mail > >> > >> That is all at the top level that needed to be done and all the above really > has > >> nothing to do with a mailing list but the mail receiver verifier and the > >> outbound mail server. > >> > >> This is about not wanting to do a basic author domain signature > authorization > >> lookup for any kind of mail service. > >> > >> -- > >> HLS > >> > > >