--On Saturday, October 24, 2015 09:33 -0400 Rich Kulawiec
<rsk@xxxxxxx> wrote:
>...
> Precisely. My spamtraps observe messages all day, every day
> that pass whatever validation happens to be in play -- but are
> clearly forgeries. And it's a VERY rare end user who is
> capable of making that same determination. Thus the warm
> fuzzies provided by mail clients that mark messages as
> "validated" or "authenticated" or whatever term is used are
> going to make these problems worse, not better.
> Until the underlying security issues are fixed -- and I see
> absolutely no signs that any of the 500-pound gorillas even
> *intend* to address those at scale, let alone are actively
> engaged in doing so -- this (DMARC and related) just
> wallpapers over the problem.
Rich, Martin, John L. and others,
For several reasons, I've been try to stay out of this since a
few comments when DMARC first came up, but I think some
significant issues deserve command and IETF actions different
from "patch Mailmain".
First of all, this is, intentionally or not, more than wallpaper
for the 500-pound gorilla community. By making mailing lists
less functional, it drives people, not to NNTP, but to their
proprietary "social"/ "collaborative" systems. Those systems
are enhanced version of what we used to call "bulletin boards"
and allow them to do a much better job of identifying user
interests and selling ads than mailing lists that they don't
control. As an alternative, it helps drive people to _their_
mailing lists, which obviously don't have problems with incoming
DMARC (or whatever) and which have the same effects relative to
information-collection. I don't have any information that any
of those actors deployed DMARC for those commercial reasons, but
would be astonished if no one at any of them had not noticed the
side-effects by now.
Second, even though many of us know how to subvert or bypass
DMARC, etc., and I agree with Dave's comments about user
education, a commercial mail provider is in much the same
position as a financial institution: for the latter, it can be
important to claim that they are applying supposedly state of
the art protection mechanisms even if what that means if SSL 1.0
with certs there is no hope of being able to verify.
If one thing or another is changed to the point that the
validation helps, the methods are, as you have pointed out,
easily subverted. That would fall into the fairly nasty
category known as "making the bad guys smarter".
--On Sunday, October 25, 2015 08:40 +0900 Randy Bush
<randy@xxxxxxx> wrote:
> < rant >
>
> it really makes little difference. face it, email standards
> are now made by google, yahoo, aol, ... and shoved down our
> throats. have you seen the hoops one has to jump through to
> smtp over v6 to google? they outsource their alleged pain to
> the rest of the internet.
Ok, it seems to me that the above --Rich's, John's, and Randy's
comments included along with others-- means the IETF has three
choices (each of which has small variations):
Option 1: Either what those providers has decided to do is
actually the right option or, because they are a family of 500
pound gorillas, they are going to get their way and we need to
go along. If that is the correct or preferred way of looking at
this, then we should modify our servers to do what they like or
to work around the problems they create. We can have a WG try
to make minor improvements in (in this case) DMARC, but with the
understanding that anything that modifies the contents of
"From:" violates the definition and semantics of that field as
identifying the human message originator and noting that we've
got "Sender:" and "Resent-*" fields that are intended for
situations in which the last entity to inject the message into
Internet mail is not the same as the human message originator
and that we, like a few centuries of postal services before us,
made a distinction between envelope and message header
information for a reason. This option can be accompanied by
periodic whining and/or ranting, but with the understanding that
it is unlikely to accomplish anything. I hope that, if the
effect of anything that comes out of the WG actually does modify
long-established semantics, it will be identified as "updating"
the relevant specs and subjected to the level of Last Call
scrutiny associated with such things.
(2) We decide that the long-established semantics are the right
ones, that we have made reasonable decisions about how email
works, and the DMARC (at least is strictly applied) encourages
bad behavior that threatens the mail infrastructure and/or the
idea of small or individual mail providers (noting the
significant privacy advantages of such servers). On that basis,
we refuse to make changes simply to accommodate breakage by one
or more vendors. We encourage the IAB or IESG to issue a
statement explaining why a collection of vendors introducing and
then enforcing de-facto standards, especially ones that have
nasty side-effects, is a bad idea and precisely the reason IETF,
ISOC, and others have endorsed the Open Stand principles. If
IETF participants are hurt as a result of their choices of email
providers, too bad -- if they vote with their feet and maybe
complaints to local regulators (see below) perhaps the relevant
vendors will notice. This may be the right approach whether one
believes that expected output from the DMARC WG will eventually
fix the problem but that large mail vendors will then need to be
persuaded to adopt it or if one believes DMARC is more
fundamentally flawed.
(3) We decide that this is really all ok, that nothing of
significance (other than perhaps upgrading Mailman) needs to be
done, that we are ok with whatever distortions of semantics
occur, and that the many comments of the last week or so just
constitute an instance of the IETF community's periodic need to
whine or rant and this situation just provided a good
opportunity.
> my paranoid brother wonders if this is intentionally pushing
> small smtp sites to give up and use the mail cartel. but i
> think that is just collateral damage.
I do too. However your paranoid brother has a point in terms of
what this might look like to a suspicious antitrust or
competitiveness regulator, especially if we made the sort of
statement suggested in (2) above. Because we have friends at
the relevant vendors, especially Google, if we were going to go
ahead with (2), I think it would be important to give them a
strong heads-up and opportunity to work out joint statements.
But, we we believe in our standards and principles, I don't
think (1) and (3) really ought to be options.
I would hope this could be a discussion for the plenary in
Yokohama and that, if people believe the leadership is not
paying appropriate attention to the issues (either too much or
too little), they will discuss that problem with the Nomcom.
best,
john