To avoid more argument, it is time to do a consensus check. A) To allow the Tree Walk to proceed without dependence on new policy flags, it is necessary to ignore the risks created by private registries. This will allow malicious impersonation within some private registries to be undetected and produce DMARC PASS. This is not a problem because: - private registries are a tiny subset of all domains - DMARC-enabled private registries are a tiny subset of all private registries - Malicious clients are a tiny subset of all private registry clients - Useful impersonation targets are a tiny subset of all non-malicious clients - Malicious actors will only be able to attack a subset of all recipient domains - Only a subset of attacks will produce victims - Only a subset of victims will fall because of the DMARC result Therefore, the actual risk is disappearing small.
B) To avoid unwanted resistance based on a threat that is disappearing small, it is necessary to avoid or minimize mention of private registries in the DMARCbis document. I am a solid -1. Based on discussion to date, Scott appears to be a solid +1 and believes he speaks for the group. Let's get that verified.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
