Re: [dmarc-ietf] Ticket #55, closing

Mon, 25 Jan 2021 04:54:15 -0800 

On Sun 24/Jan/2021 19:49:00 +0100 John Levine wrote:

In article <[email protected]> you write:

In sec 3 it says the reports SHOULD include all URIs.  That is a privacy 
problem since it is common
for unsubscribe URIs to contain the recipient address in plain text or an 
easily reversed encoding
such as base32.



Would something generic as the following do?

   These reports SHOULD include any URI(s) from the message that failed
   authentication, unless privacy reasons suggest otherwise.  [...]


Why are we telling people to send URIs in preference to any other part
of the message?  I don't see the point.


Dunno.  In draft-kucherawy-dmarc-base-02 the whole paragraph was:

OLDER:
   These reports SHOULD include the "call-to-action" URI(s) from inside
   messages that failed to authenticate.

Gradually, it took the current shape:

OLD:
   These reports SHOULD include any URI(s) from the message that failed
   authentication.  These reports SHOULD include as much of the message
   and message header as is reasonable to support the Domain Owner's
   investigation into what caused the message to fail authentication and
   track down the sender.

Shall we replace it with the following?

NEW:
   These reports SHOULD include as much of the message and message header
   as is reasonable to support the Domain Owner's investigation into what
   caused the message to fail authentication and track down the sender,
   unless privacy reasons suggest otherwise.



Shall I add that verbatim as a second paragraph in Security Considerations?

   In addition, note that Organizational Domains are only an approximation
   to actual domain ownership  Therefore, reports may be sent to someone
   unrelated to the actual sender or domain owner.


Sure, with the correction above.



I committed both updates in:
https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-failure-reporting

diff:
https://tools.ietf.org/rfcdiff?url1=draft-ietf-dmarc-failure-reporting-00&url2=https://raw.githubusercontent.com/ietf-wg-dmarc/draft-ietf-dmarc-failure-reporting/main/draft-ietf-dmarc-failure-reporting-01.txt


Best
Ale
--




















_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc






















					Reply via email to