nanog mailing list archives

Re: DMARC -> CERT?

From: Miles Fidelman <mfidelman () meetinghouse net>
Date: Mon, 14 Apr 2014 14:23:41 -0400

Christopher Morrow wrote:

On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz <laszlo () heliacal net> wrote:

By their statement it's obvious that yahoo doesn't care about what they broke.  It's
unfortunate that email has become so centralized that one entity can cause so
much 'trouble'.  Maybe it's a good opportunity to encourage the affected mailing list
subscribers to use their own domains for email, and host it themselves if possible.

I sort of wonder if this is really just yahoo trying to use a stick to
motivate people to do the right thing? It seems like everyone's been
trying for a while to 'make email better'... and that perhaps DMARC
will make it somewhat better, and if setup properly this is a
non-issue... after much faffing: "Welp, how about we whack the
mail-lists (and others) with a stick and get movement int he right
direction?"

not sure this is all bad... and i think the fix is pretty
straightforward for list folk, right? so all the faffing on this list
and others took longer to do than the fix-action?

Well, if you consider writing software patches to complicated softwaresimple.

And it would certainly help if the guidance on what to do is clearer -last week, dmarc.org's FAQ listed, as among the options for list operators:

"Add an Original Authentication Results<http://tools.ietf.org/html/draft-kucherawy-original-authres-00> (OAR)header to indicate that the list operator has performed authenticationchecks on the submitted message and share the results. " -- which wouldbe transparent to list subscribers


but, as of a couple of days ago, that's qualified by:

"*This is not a short term solution.* Assumes a mechanism to establishtrust between the list operator and the receiver. No such mechanism isknown to be in use for this purpose at this time. Without such amechanism, bad actors could simply add faked OAR headers to theirmessages to circumvent such measures. OAR was only described as a draftdocument, which expired in 2012. No receivers implementing DMARC arecurrently known to make use of OAR from external sources."

So the low-impact (to end users) fix is now not recommended, and all theother available fixes require changes that degrade long-acceptedfunctionality of mailing lists (e.g., the ability to reply to the authorof a message).


Miles Fidelman




--
In theory, there is no difference between theory and practice.
In practice, there is.   .... Yogi Berra

Current thread:

DMARC -> CERT? Miles Fidelman (Apr 14)
- Re: DMARC -> CERT? Matthew Petach (Apr 14)
  - Re: DMARC -> CERT? Miles Fidelman (Apr 14)
    - Re: DMARC -> CERT? Laszlo Hanyecz (Apr 14)
    - Re: DMARC -> CERT? Valdis . Kletnieks (Apr 14)
    - Re: DMARC -> CERT? William Herrin (Apr 14)
    - Re: DMARC -> CERT? Miles Fidelman (Apr 14)
    - Re: DMARC -> CERT? Laszlo Hanyecz (Apr 14)
    - Re: DMARC -> CERT? Christopher Morrow (Apr 14)
    - Re: DMARC -> CERT? Miles Fidelman (Apr 14)
    - Re: DMARC -> CERT? Florian Weimer (Apr 21)
    - Re: DMARC -> CERT? Matthew Petach (Apr 14)
    - Re: DMARC -> CERT? Jim Popovitch (Apr 14)
    - Re: DMARC -> CERT? Scott Howard (Apr 14)
    - Re: DMARC -> CERT? Christopher Morrow (Apr 14)
    - Re: DMARC -> CERT? Doug Barton (Apr 14)
    - Re: DMARC -> CERT? Christopher Morrow (Apr 14)
    - Re: DMARC -> CERT? Jim Popovitch (Apr 14)
    - Re: DMARC -> CERT? Doug Barton (Apr 14)
    - Re: DMARC -> CERT? Jim Popovitch (Apr 14)

(Thread continues...)