On 1/24/21 1:36 PM, John Levine wrote:
In article <[email protected]> you write:
any reporting needs to be authenticated. if you're going to use http,
you need to show how you're going to do that.
DMARC systems have been producing and consuming reports for a decade
without authentication, without any problems I am aware of other than
the occasional failure report loop, so we have practical experience
telling us this assertion is not true.
"That i'm aware of" doesn't count for anything in the security realm. If
this document intends to be standards track the default security posture
is that everything needs authentication. Good luck getting it through
the IESG handwaving the problem away. At least with mail a little
normative texts fixes the problem. That won't be the case for http.
Mike
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
