DMARC is an anti-phishing technique that AOL and Yahoo
repurposed last year to help them deal
with the consequences of spam to (and apparently from) addresses in
stolen address books.
Since DMARC cannot tell mail sent through complex paths like mailing lists from phishes,
this had the unfortunate side effect of screwing up nearly every discussion list
on the planet.
Last week the DMARC group published a proposal called ARC, for
Authenticated Received Chain, that is intended to mitigate the
damage. What is it, and how likely is it to work?
ICANN is in the midst (I wouldn't yet say the middle) of its transition
from oversight by the US Department of Commerce to oversight by
A Cross Community Working Group on Accountability delivered
report in August that proposes a new oversight structure for ICANN.
But it has the practical problem that the ICANN board really, really hates it.
Having looked at it, I can't entirely blame them.
ICANN, as we all know, is a California non-profit that is tax exempt in the US
as a charity, under section 501(c)(3) of the US tax code.
But it's a rather unusual charity.
Typical charities support the arts, or education, or sports, or relief for the poor.
ICANN doesn't do anything like that.
So what's the basis for its tax exemption?
We don't have to guess, it's all in the application they filed in 1999.
Back in the 1990s as the Internet was starting to become
visible to the world, several people had the bright idea of
setting up their own top level domains and selling names
in competition with what was then the monopoly registrar Network Solutions (NSI).
For these new TLDs to be usable, either the TLD operators
had to persuade people to use their root servers rather
than the IANA servers, or else get their TLDs into the
Attempts to get people to use other roots never were
very successful, particularly after Eugene Kashpureff,
the operator of alternate root AlterNIC made an ill-advised
attempt to use DNS cache poisoning to
web traffic from the InterNIC website and pled guilty to wire fraud.
Some of the alternate root TLDs are still around, with operators who
are under the impression
that they have a right to have their TLDs in the IANA root.
One of them is name.space.
At NetHui last week one of the most
interesting sessions was
Is there an app for that?.
The issue was that while apps can be easy to use, they are little walled gardens within an app store
which is another level of walled garden.
Last week I was in Auckland NZ for the Internet Society board meeting
and the impressively successful InterCommunity
2015 online event.
Immediately after that (in the same room, even) was
NetHui 2015, an annual event about the Internet
by and for New Zealanders.
NZ is an unusual place. It has the population of Louisiana spread out
over an area the size of California, with about 1/3 of them in and
near Auckland and the south island still very sparsely settled, with a population
still small enough that it feels like everyone knows everyone else. It is
as developed as any other first world country, but is a long way from
other similarly developed countries. (Australia is 3 1/2 hours away
by air.) It has close connections to many
small Pacific islands, and has a significant number of Maori, who have
gained considerable economic influence in recent decades.
When last we wrote,
trademark lawyers had written an outraged letter to ICANN about
the $2500 price to preregister trademark.sucks names,
and ICANN, reliably panicking in the face of legal threats,
wrote to the US Federal Trade Commission and Canadian Office
of Consumer Affairs saying please tell us
that's illegal so we can shut down this registry with whom
we just signed a long-term contract.
(The mysterious $1 surcharge turned out to be a weak attempt
by ICANN to collect debts that affiliates of registry owner Momentous defaulted on long ago.)
Stepping back from the
DMARC arguments, it occurs
to me that there is a predictable cycle with every new e-mail security technology.
1. Invention and enthusiasm
Someone invents a new way to make e-mail more secure, call it SPF or DKIM or DMARC or
(this month's mini-fiasco) PGP in DANE.
Each scheme has a model of the way that mail works.
For some subset of e-mail, the model works great, for other mail it works less great.
Every year M3AAWG
gives an award for lifetime work in fighting abuse and making the
Internet a better place.
Yesterday at its Dublin meeting they
it to Rodney Joffe, who has been quietly working for
over 20 years. I can't imagine anyone who deserves it more.
Since he wasn't able to attend in person, they made a video of an
informal interview in which he recounts a lot of what he's done,
with a few comments from his friends.
Adblock Plus is a very popular little program
that plugs into your web browser.
As its name suggests, it keeps ads from appearing in your web browser.
While users love it, advertisers and some webmasters hate it.
Its authors, Eyeo, are a small German company that has been sued in German
courts several times, and won every time.
This week a Munich court ruled in its favor again.
The IETF is once again wrestling with e-mail authentication and reputation,
this time in the context of DMARC,
particularly the long running issue of DMARC vs. mailing lists.
We have a bunch of proposals with various techniques of signing messages,
asking various parties who is authorized to send what.
Some of them seem workable, but a lot aren't.
I have found that a few basic rules that apply to any reputation scheme
make it a lot easier to evaluate
whether a proposal can work.
Although I don't have a lot of sympathy for the trademark
lawyers' argument that trademark holders need to register .sucks domains cheaply before anyone
else can, there is one point at the end of their letter that's worth a look.
Good taste has never been a criterion in ICANN's new domains program, and domains including .fail
and the remarkably vulgar .wtf have become part of the DNS with little comment.
Now we have .sucks, which is intended to empower consumers, but does so in a way so clumsy
that ICANN is
in the U.S. and Canada for an excuse to shut it down.
(and everyone else) are reporting that Apple has finally been added to the Dow Jones Industrial Average.
No surprise about that, it was inevitable once their stock split last year, but I was somewhat surprised
to see that they kicked out at&t to make room for it.
Back in the mid 1990s, before ICANN was invented, a lot of people assumed that the way you would
find stuff on the Internet would be through the Domain Name System.
It wasn't a ridiculous idea at the time.
The most popular way to look for stuff was through manually managed directories like Yahoo's,
but they couldn't keep up with the rapidly growing World Wide Web.
Search engines had been around since 1994, but they were either underpowered and missed
a lot of stuff, or else produced a blizzard of marginally relevant results.
(Brin and Page wouldn't publish their billion dollar PageRank idea until 1998.)
Moreover, web browsers had started to do domain guessing, so if you entered, say,
pickles in your browser's address bar, it would take you to
ICANN reports that Google paid over $25 million for .APP
in the February 25 domain auction.
They were willing to bid $30M, but it's a second bid auction so that was just enough to beat out
whoever the second highest bidder was.
The auction proceeds piggy bank just nearly doubled from $34M to about $59M dollars, and ICANN
still has no idea what to do with it.
Since there are still a lot more domain conflicts yet to be resolved, some for likely high bid
names like .SEARCH and .WEB, it still seems possible that the final haul could be as much as $100M.
The Silk Road trial got under way, with the defense trying to argue that defendant Ross Ulbricht
wasn't really the Dread Pirate Roberts, but instead it was Mark Karpeles, of MtGox fame.
go so well, but it certainly provided a lot of amusement to reporters and spectators.
I have often remarked that any fool can run a DNSBL and many fools do so.
Since approximately nobody uses the incompetently run BLs, they don't matter.
Unfortunately, using a DNSBL requires equally little expertise, which becomes
a problem when an operator wants to shut down a list.