--On Monday, October 26, 2015 17:08 +0000 Ted Lemon
<Ted.Lemon@xxxxxxxxxxx> wrote:
> If we decide that the long-established semantics are the right
> ones, then I think our email standards deserve to die, because
> they don't currently work.
Ted, I think millions of users, passing around tens or hundreds
of millions of messages around a day, would probably disagree
with "don't currently work" or at least dismiss it as rather
extreme hyperbole. Now I can probably think of at least as many
ways in which I think the functionality would be different in a
more perfect world and the ability to positively identify a
sender (or identify spoofed messages or message components) and
to verify that what is received is what was sent, and to do both
without complex arrangements (private key management by end
users as just one example) are high on my list. I would, of
course, like that done in a fashion that is completely
consistent with privacy, just as I count on the privacy of a
postal message sent in a sealed envelope (and may be deluded
about both). I note, fwiw, that, to the extent to which I have
non-spoofing or non-tampering expectations of postal mail, those
expectations are largely based on assumptions built into
statutes, not because the protocols are particularly clever
about such things.
> I share your concern about email
> turning into closed bulletin boards, but the way to fix that
> is to accept that email as it is is badly broken, and try to
> fix it, not to get mad at Google et al. for refusing to
> continue to suffer the brokenness.
Perhaps I haven't been looking in the right places, but I
haven't heard Google claim that email is "badly broken", much
less "doesn't work". What I have heard is some claims about
blocking of some messages originating from bogus or unauthorized
senders. That is a sender authentication problem, not a "broken
email protocol" one. As a solution to that problem, there there
have been several comments on this list to the effect that
DMARC, as Google apparently plans to use it, will not be
particularly effective. Equally important, if Google really
cares about either sender authentication or verification that a
sender who uses a particular backward-pointing address today is
the same entity who used it yesterday, we know of a large
variety of ways to approximate at least the latter. The
observation that Google isn't doing any of those things, even
the ones they could support with a very large fraction of their
users and without protocol changes, suggests that isn't the
issue.
So, if you are going to claim that our existing standards don't
work, I think it would be good to have a clear explanation of
what you mean and what, precisely, doesn't work. Of course, I
can only hope that, contrary to your apparent claim, this
message will reach you in spite of non-working protocols and you
will be able to reply.
john