General: For a reporting specification, the Security Considerations are by definition any risks of unwanted information disclosures. So that is where attention needs to be given.
Operational experience: I don't have specific knowledge of the information gathering strategies of malicious actors. When evaluating my reports, I noted that some sources were reporting significantly fewer messages than were sent out. I have specific knowledge about one of those vendors. They offer different filtering products to different clients, and they allow clients to choose whether DMARC is evaluated or not. So this is what I concluded from that knowledge: If a server farm hosts DomainA and DomainB, and I only get DMARC aggregate reports when I send to DomainA, then I can conclude that DomainB is not evaluating DMARC and is therefore more vulnerable to impersonation attacks than DomainA. I think that knowledge is valuable to bad guys, so I think it is worth a warning in our spec. The problem with this warning is that if people act on it, the volume of reporting might decrease noticeably. Doug On Tue, Nov 15, 2022 at 7:51 PM Seth Blank <[email protected]> wrote: > On Tue, Nov 15, 2022 at 4:13 AM Douglas Foster < > [email protected]> wrote: > >> You failed to read and understand what I wrote. >> > > Hatless, I also cannot parse your proposed text or what you're trying to > communicate in this email. > > As Chair, our charter around the bis project is clear, and is to > prioritize "issues based on operational experience and/or data aggregated > from multiple sources." Along with any clearer proposed text, can you > please share the operational experience and data aggregated from multiple > sources which informs this security consideration so that we can prioritize > this accordingly? > > Thanks, > > Seth > > -- > > *Seth Blank * | Chief Technology Officer > *e:* [email protected] > *p:* 415.273.8818 > > This email and all data transmitted with it contains confidential and/or > proprietary information intended solely for the use of individual(s) > authorized to receive it. If you are not an intended and authorized > recipient you are hereby notified of any use, disclosure, copying or > distribution of the information included in this transmission is prohibited > and may be unlawful. Please immediately notify the sender by replying to > this email and then delete it from your system. >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
