poorly defined http report which we took out. I propose we add back
https reporting similar to that for mta-sts, with a POST of the gzipped report
to the HTTPS URI.
Was this requested by someone?
I don't recall a strong security and privacy concerns discussion around
HTTP(S) reporting. Presumably the report contents are protected in transit
but to what extent is access by arbitrary parties an issue. Notwithstanding
that things like GDPR are political issues, they are worth noting as a real
life operational consideration.
The original motivation was performance, since uploading a big file via
https is a lot faster than base64 encoding it and relaying it by mail.
I don't understand the security or GDPR references. For one thing, these
are aggregate reports which generally don't have any PII. For another,
https reporting would be considerably more secure than mail reporting.
The report goes via an encrypted channel directly to the target server
which is identified by its ssl certificate. There's no relaying through
intermediate servers. If the report can't be delivered, the upload just
fails and there's no possibility of it being diverted by spam filters or
bouncing into some random admin mailbox.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
