On 1/25/21 8:44 AM, Todd Herr wrote:
On Mon, Jan 25, 2021 at 10:18 AM Michael Thomas <[email protected]
<mailto:[email protected]>> wrote:
The main thing I've learned over the years of dealing with
security is to not underestimate what a motivated attacker can do.
Your imagination is not the same as their imagination. Closing #98
in particular is absolutely ridiculous: the report should already
have a DKIM signature or SPF so it's just a matter of making sure
its valid. Why would you *not* want to insure that? The amount of
justification for *not* having the receiver authenticate it is a
mountain. The amount of effort to authenticate it is trivial for
mail. Levine's dismissal of security concerns because he has
anecdotal "evidence" from a backwater domain carries no weight at all.
That's all well and good, but you haven't answered the question I asked.
What threats do you have in mind? Put another way, how do you envision
an attacker exploiting the lack of authentication in a DMARC report to
his or her gain?
No, sorry, the onus is on the people who don't think it can be gamed. A
bald assertion that it can't be gamed is very unconvincing. You need to
lay out a miles long case for why it cannot be gamed. And to what end?
#98 has a simple piece of text that should be added to DMARC to
eliminate the possibility of forgery. You'd need a 10 page threat I-D to
explain why it's not necessary. What is the point of that? For email,
it's trivial to prevent forgeries. Why would anybody argue against that?
Mike
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
