Re: [dmarc-ietf] reporting security requirements

Seth Blank <seth@valimail.com> Mon, 25 January 2021 20:47 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40A543A1946 for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 12:47:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzB4-LkHvf1V for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 12:47:39 -0800 (PST)
Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BCBB3A1928 for <dmarc@ietf.org>; Mon, 25 Jan 2021 12:47:36 -0800 (PST)
Received: by mail-vs1-xe30.google.com with SMTP id m13so2775967vsr.2 for <dmarc@ietf.org>; Mon, 25 Jan 2021 12:47:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9waooDmEJjmG+/vkiTjP5TdQrOLsqL6ceJ0wEBh1Xc8=; b=gSY9l6fdCad0A01kAgfRTQ0fZD/f4ZTFzDi4DA5Oo/DoLBjFcTvgOzpUD3zR+XAH6v z3yoTbyRwVksqR7lzU2es82+3NUospKoIB9IftPR5MUCwzzOGNwUvItXrH5epVsMvWDM nrKWGYeNd1eGz9ylf3HyDtw7wa1uDF9nHc2pGHu/7OYKZM3ODvWGcdrPcgJgZ3s1AQWM CuKsr/DV+b1/GgDlwijc8DFo6xLF6HsgRN/Z2QfoQL3PMxC4ff/WT1EZ6Q7t8WUXk2uV lgN1OnT7bCLTUwewzGtOi48e3CBsr0Oq8vMHc1qPwSIje0i2qLhRZAVVtgYaiIArkRv8 vmsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9waooDmEJjmG+/vkiTjP5TdQrOLsqL6ceJ0wEBh1Xc8=; b=MQrR/y/IopL6B5fW6ObQdwXb1HOojMF1vm/CsnzG4bt6Pkxqft2jsNLxX9S4bQRR5J 0QT8RL+TO1YWLBm6YNrDLNjLp74ZQvgQRM1fWX43ppZ8oujpX54DQcSb1IGE/kkx0sgM /V3uaKRFV7dJlaBG1vULYVsEnAHdxsHopMdt47U6D42eYPX69pypybxlCKULADSu3O6r PoVKoeHMGTC+SBrxC+S3UsPPhBC1eK7dVNa58TTDUVlF7YsMW61SbsH9S7OB1J7iLp0P t4C+5EV2S8KjkjmZsYcb8OeotDhxuGXeobgeapd+/3vWwA5KT+r0qnkDuXFZrpP5TMSy +0AQ==
X-Gm-Message-State: AOAM533J5rKtVvih2dbMQ+J3FetoGZ/IqV4w3mfje1rQzharyv85wx1B /aw/xbDfFYU1V4iWgDvM6RurhlPboneYzpluxVAXL3DerlM=
X-Google-Smtp-Source: ABdhPJzCUNWrSA7eey2ricSTFEYwf4Inqg+JJmfmTVdnikUlLoTUgbLfSOswfmt44s377K8nmecxlRduKrEykGB2Kc8=
X-Received: by 2002:a05:6102:1c8:: with SMTP id s8mr2201694vsq.52.1611607655239; Mon, 25 Jan 2021 12:47:35 -0800 (PST)
MIME-Version: 1.0
References: <34317129-8225-fb38-4ad3-e1b9ffed21fb@iecc.com> <9c84fa50-d23c-a794-fc62-09788ac383a9@mtcc.com> <CAHej_8mTaFo7aESFk4pHjbqbheriYPoAy6f+HhcE6ASVJSyViA@mail.gmail.com> <df867378-5da0-b912-2a0f-b2081d1f2437@mtcc.com> <CAHej_8kfCC1H89pRjgxXK=+BizJHFdKgnr7Gxh_2wWq8P7L-0Q@mail.gmail.com> <a94cb6c0-0a32-da8d-4bd5-9c7ab2866c82@mtcc.com> <CAH48ZfxkQ9g-gmBOPdDsxr4RDvXOi56EaX=aJVDbuL_g7kR+xQ@mail.gmail.com> <CAOZAAfOB93fpYRjwxgQNkG-ydVHLtvgUp0LLROvv-F-amJVy4w@mail.gmail.com> <b9e8da8e-f46a-49c0-4196-1d50ed94d526@mtcc.com> <CAOZAAfPh4kYq0yXhtP9BaPmtP_rc7L-0f=r3Ff_P3oxrhYqvtw@mail.gmail.com> <fd74120f-bfad-ef51-64d7-2f8ec4f00fab@mtcc.com> <CAL0qLwaPmMGR48EUhNkmZTozjoiTMnC6Rfmjdo9vLYD6ZhNoAw@mail.gmail.com> <CAOZAAfMcQ3HCrQAgKWeK-n2Acf+COK+E3HuCauh8g44KiWj=ng@mail.gmail.com> <25ea488b-e432-75c4-c57a-01d03308208c@mtcc.com> <CAOZAAfP5n15=Ez6_SFmkyDOyF=mpD8npZJmJujKP1vw322fGLg@mail.gmail.com> <2f73843f-eaec-5bb7-c59c-08ff387418e3@mtcc.com>
In-Reply-To: <2f73843f-eaec-5bb7-c59c-08ff387418e3@mtcc.com>
From: Seth Blank <seth@valimail.com>
Date: Mon, 25 Jan 2021 12:47:24 -0800
Message-ID: <CAOZAAfMBwuXEyxnCgObChb_irCME9w=5ZjedjdSz=0qzFj6uVw@mail.gmail.com>
To: Michael Thomas <mike@mtcc.com>
Cc: Douglas Foster <dougfoster.emailstandards@gmail.com>, IETF DMARC WG <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000ceeeff05b9bfa588"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/0dIL68EWtHstv76HaUvQelkc2gk>
Subject: Re: [dmarc-ietf] reporting security requirements
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 20:47:47 -0000

Entire sections of the document are devoted to preventing reporting abuse.
Of course reviewing the security recommendations are part of the process of
going standards track which we’ll be undertaking.

If there are seeing specific operational issues that you believe require
clarification in the document, please speak up.

Back to open tickets, please.

On Mon, Jan 25, 2021 at 12:41 Michael Thomas <mike@mtcc.com> wrote:

>
> On 1/25/21 10:02 AM, Seth Blank wrote:
> > Michael, are you aware of anyone not following the guidance in the
> > document? This thread feels like we're discussing a non-issue.
> > Aggregate reports are already required to be authenticated and I'm
> > unaware of anyone sending failure reports, let along unauthenticated
> > ones. Is the language causing problems? Such problems have not been
> > brought to the list, and would be a good place to start if you want to
> > build consensus.
>
>  From the looks of it, it doesn't seem like the security requirements of
> reporting was ever undertaken. There seems to be a wide range of
> disagreement even if there was given the thread from which this came.
>  From there is actually text, to don't know if it's an issue, to there
> hasn't been a problem before (as if that were some sort of barometer),
> to authentication might inconvenience google, to contradicting your
> assertion that authentication in the way you mentioned can be done.
> Since this is going to proposed standard from informational, that is not
> a very good state of affairs, IMO.
>
> Mike
>
>
> --

*Seth Blank* | VP, Standards and New Technologies
*e:* seth@valimail.com
*p:* 415.273.8818


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.