[170963] in North American Network Operators' Group
Re: DMARC -> CERT?
daemon@ATHENA.MIT.EDU (Miles Fidelman)
Mon Apr 14 14:24:15 2014
Date: Mon, 14 Apr 2014 14:23:41 -0400
From: Miles Fidelman <mfidelman@meetinghouse.net>
CC: NANOG <nanog@nanog.org>
In-Reply-To: <CAL9jLabX6A-QPhEhN1iwrhEwyQ2uaoi2af7fJT+BTPRtNWRRwg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Christopher Morrow wrote:
> On Mon, Apr 14, 2014 at 1:25 PM, Laszlo Hanyecz <laszlo@heliacal.net> wrote:
>> By their statement it's obvious that yahoo doesn't care about what they broke. It's
>> unfortunate that email has become so centralized that one entity can cause so
>> much 'trouble'. Maybe it's a good opportunity to encourage the affected mailing list
>> subscribers to use their own domains for email, and host it themselves if possible.
>>
> I sort of wonder if this is really just yahoo trying to use a stick to
> motivate people to do the right thing? It seems like everyone's been
> trying for a while to 'make email better'... and that perhaps DMARC
> will make it somewhat better, and if setup properly this is a
> non-issue... after much faffing: "Welp, how about we whack the
> mail-lists (and others) with a stick and get movement int he right
> direction?"
>
> not sure this is all bad... and i think the fix is pretty
> straightforward for list folk, right? so all the faffing on this list
> and others took longer to do than the fix-action?
>
>
Well, if you consider writing software patches to complicated software
simple.
And it would certainly help if the guidance on what to do is clearer -
last week, dmarc.org's FAQ listed, as among the options for list operators:
"Add an Original Authentication Results
<http://tools.ietf.org/html/draft-kucherawy-original-authres-00> (OAR)
header to indicate that the list operator has performed authentication
checks on the submitted message and share the results. " -- which would
be transparent to list subscribers
but, as of a couple of days ago, that's qualified by:
"*This is not a short term solution.* Assumes a mechanism to establish
trust between the list operator and the receiver. No such mechanism is
known to be in use for this purpose at this time. Without such a
mechanism, bad actors could simply add faked OAR headers to their
messages to circumvent such measures. OAR was only described as a draft
document, which expired in 2012. No receivers implementing DMARC are
currently known to make use of OAR from external sources."
So the low-impact (to end users) fix is now not recommended, and all the
other available fixes require changes that degrade long-accepted
functionality of mailing lists (e.g., the ability to reply to the author
of a message).
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra
