Re: DMARC -> CERT?

Mon, 14 Apr 2014 11:24:53 -0700 

Christopher Morrow wrote:

On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz <las...@heliacal.net> wrote:

By their statement it's obvious that yahoo doesn't care about what they broke.  
It's
unfortunate that email has become so centralized that one entity can cause so
much 'trouble'.  Maybe it's a good opportunity to encourage the affected 
mailing list
subscribers to use their own domains for email, and host it themselves if 
possible.


I sort of wonder if this is really just yahoo trying to use a stick to
motivate people to do the right thing? It seems like everyone's been
trying for a while to 'make email better'... and that perhaps DMARC
will make it somewhat better, and if setup properly this is a
non-issue... after much faffing: "Welp, how about we whack the
mail-lists (and others) with a stick and get movement int he right
direction?"

not sure this is all bad... and i think the fix is pretty
straightforward for list folk, right? so all the faffing on this list
and others took longer to do than the fix-action?
Well, if you consider writing software patches to complicated software simple.
And it would certainly help if the guidance on what to do is clearer - last week, dmarc.org's FAQ listed, as among the options for list operators:
"Add an Original Authentication Results <http://tools.ietf.org/html/draft-kucherawy-original-authres-00> (OAR) header to indicate that the list operator has performed authentication checks on the submitted message and share the results. " -- which would be transparent to list subscribers 

but, as of a couple of days ago, that's qualified by:
"*This is not a short term solution.* Assumes a mechanism to establish trust between the list operator and the receiver. No such mechanism is known to be in use for this purpose at this time. Without such a mechanism, bad actors could simply add faked OAR headers to their messages to circumvent such measures. OAR was only described as a draft document, which expired in 2012. No receivers implementing DMARC are currently known to make use of OAR from external sources."
So the low-impact (to end users) fix is now not recommended, and all the other available fixes require changes that degrade long-accepted functionality of mailing lists (e.g., the ability to reply to the author of a message). 

Miles Fidelman




--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra

Reply via email to