nanog mailing list archives
Re: DMARC -> CERT?
From: Miles Fidelman <mfidelman () meetinghouse net>
Date: Mon, 14 Apr 2014 14:23:41 -0400
Christopher Morrow wrote:
Well, if you consider writing software patches to complicated software simple.On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz <laszlo () heliacal net> wrote:By their statement it's obvious that yahoo doesn't care about what they broke. It's unfortunate that email has become so centralized that one entity can cause so much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list subscribers to use their own domains for email, and host it themselves if possible.I sort of wonder if this is really just yahoo trying to use a stick to motivate people to do the right thing? It seems like everyone's been trying for a while to 'make email better'... and that perhaps DMARC will make it somewhat better, and if setup properly this is a non-issue... after much faffing: "Welp, how about we whack the mail-lists (and others) with a stick and get movement int he right direction?" not sure this is all bad... and i think the fix is pretty straightforward for list folk, right? so all the faffing on this list and others took longer to do than the fix-action?
And it would certainly help if the guidance on what to do is clearer - last week, dmarc.org's FAQ listed, as among the options for list operators:
"Add an Original Authentication Results <http://tools.ietf.org/html/draft-kucherawy-original-authres-00> (OAR) header to indicate that the list operator has performed authentication checks on the submitted message and share the results. " -- which would be transparent to list subscribers
but, as of a couple of days ago, that's qualified by:"*This is not a short term solution.* Assumes a mechanism to establish trust between the list operator and the receiver. No such mechanism is known to be in use for this purpose at this time. Without such a mechanism, bad actors could simply add faked OAR headers to their messages to circumvent such measures. OAR was only described as a draft document, which expired in 2012. No receivers implementing DMARC are currently known to make use of OAR from external sources."
So the low-impact (to end users) fix is now not recommended, and all the other available fixes require changes that degrade long-accepted functionality of mailing lists (e.g., the ability to reply to the author of a message).
Miles Fidelman -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
Current thread:
- DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Matthew Petach (Apr 14)
- Re: DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Laszlo Hanyecz (Apr 14)
- Re: DMARC -> CERT? Valdis . Kletnieks (Apr 14)
- Re: DMARC -> CERT? William Herrin (Apr 14)
- Re: DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Laszlo Hanyecz (Apr 14)
- Re: DMARC -> CERT? Christopher Morrow (Apr 14)
- Re: DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Florian Weimer (Apr 21)
- Re: DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Matthew Petach (Apr 14)
- Re: DMARC -> CERT? Jim Popovitch (Apr 14)
- Re: DMARC -> CERT? Scott Howard (Apr 14)
- Re: DMARC -> CERT? Christopher Morrow (Apr 14)
- Re: DMARC -> CERT? Doug Barton (Apr 14)
- Re: DMARC -> CERT? Christopher Morrow (Apr 14)
- Re: DMARC -> CERT? Jim Popovitch (Apr 14)
- Re: DMARC -> CERT? Doug Barton (Apr 14)
- Re: DMARC -> CERT? Jim Popovitch (Apr 14)
- Re: DMARC -> CERT? Matthew Petach (Apr 14)