On Fri 28/Oct/2022 16:49:22 +0200 Murray S. Kucherawy wrote:
On Fri, Oct 28, 2022 at 3:31 AM Alessandro Vesely <[email protected]> wrote:
I beg to disagree. DMARC reporting is all about acceptance of a site's
cryptographic settings by remote receivers. Domain owners configure
their MTAs trying to follow the prevailing trend. Doing so without
feedback can cause detachment from reality. >>
RFC8601 provides for a result of dkim=policy, exemplified by a non-signed
Subject: field which makes a signature too weak in the eyes of the
receiver. I imagine the same mechanism can be used for insufficient key
size or deprecated SHA-1. Banning such result from being reported looks
like unjustified censorship. >>
Rather, it would make reports more interesting to add some information
about what Doug calls the deprecated zone, where my signature is accepted
as a boundary case. Finally, why can't I report that an 8k RSA key is
excessive? >
Nobody is saying you can't report that. What I'm saying is that the DKIM
specification doesn't require an implementation to tell you that. You
should, therefore, not expect to be able to report that in all cases even
if you really really want to. And if that's true, then requiring it in
DMARC doesn't make any sense.
We could say that if you have those details, it's really helpful to include
them, but we can't require a report to include something that isn't
guaranteed to be available.
For some reasons, failure reporting for DKIM (RFC 6651) and SPF (RFC 6652) are
even less active than failure reporting for DMARC. Aggregate reporting only
exists for DMARC, and has made a marked difference, IME. It's the first and
only "M2M" channel (besides specialized mailing lists...)
I agree that the spec shouldn't require too much. There are optional fields in
the aggregate reports, and we can add more. As for today, the WG agrees about
an extension, often exemplified as ARC, but sometimes as BIMI. The challenge
is to entice report generators to pay attention to available extensions and
develop them as they see fit. Report analyzers will probably find out how to
display any extra data if it is conveyed in a structured format.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
