On 8/14/20 12:16 PM, Dotzero wrote: > > > On Fri, Aug 14, 2020 at 10:59 AM Kurt Andersen (b) <[email protected] > <mailto:[email protected]>> wrote: > > It would be worthwhile for everyone in the group to read > through > https://www.usenix.org/conference/usenixsecurity20/presentation/chen-jianjun > as they analyze implementation flaws that allow attacks against > DMARC in existing implementations. > > The paper should be publicly accessible now since the conference > is in progress. There's also a slide deck with a summarized set of > results from their study. > > --Kurt > > > Did a first look at the slide deck. Some interesting stuff. Some is > clearly interoperability and should be considered by the working > group. Some is DMARC/DKIM/SPF implementation issues and some like the > display name is intractable. As someone suggested to me today, it > would be incredibly useful to disambiguate the Display Name from the > From email address for anti-abuse purposes but my feeling is a) that > is something for the email core group (not this group) and b) there > would be incredible pushback against such an effort. > Agreed. I watched the presentation this morning and he points out a number of likely implementation issues that are worth evaluating. Haven't had a chance to read the paper in detail yet.
But he doesn't seem to have considered primarily cases where the From email address is presented to and evaluated by the user. He largely ignores MUAs that show only the friendly name and research showing that even if displayed, it is frequently ignored. -Jim
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
