IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports

Michael Thomas <mike@mtcc.com> Mon, 28 December 2020 15:57 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B23613A0C45 for <dmarc@ietfa.amsl.com>; Mon, 28 Dec 2020 07:57:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuUoa2T0YRSm for <dmarc@ietfa.amsl.com>; Mon, 28 Dec 2020 07:57:48 -0800 (PST)
Received: from mail-pg1-x52f.google.com (mail-pg1-x52f.google.com [IPv6:2607:f8b0:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6307B3A0C43 for <dmarc@ietf.org>; Mon, 28 Dec 2020 07:57:48 -0800 (PST)
Received: by mail-pg1-x52f.google.com with SMTP id e2so7546292pgi.5 for <dmarc@ietf.org>; Mon, 28 Dec 2020 07:57:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=Gs+JksViCPvHwe5GGDEvZeC53Gqq8pQF9ahpx+hoNhk=; b=V925eeGHkP6fHic645ldHR6t1pu0JJ/VpTuGCFN8WvqhOipp018ytyTQwkIqAN1W13 6L2CTZOz+8N0NfZ8jMS1Q6wBBEcssxtvMZLpQFE0/tZdw0ErNjKdzAj7LOBBUCa9kwfh Uaar9L3ZDzbS7+vicVJnfif77enkvn6BwnLhD0BahpIAGy1gwfQ4z105pDlGpnWgtRNr NyFBfgYTBA3coQs03bLOGny2o2SZUvEEBQMXIUjmngCA8tkx2RkZmkfLQMkMv1EsrV31 t1MpgbQ6bGHiL1/k/8qoC6o0NzsZW2YEOf1B/xEB9zLJ5s1Vh6xvqRULASaDvH8GN2CM Ez6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=Gs+JksViCPvHwe5GGDEvZeC53Gqq8pQF9ahpx+hoNhk=; b=eEMLzRdRumz/Y5NH4wMjL15Vcm0P2RsblcdINLjQ/1FhJ1FyraSeBoATEBNc+74AIo AH7J85CBVmqxzcqrVNwUQKWCw2k4Ipx5Sih8G39/0rVbSAYuuT5vQQa3Up7gr1xaaNri SDoNFwFAd3iWjYbVPD8dQfsTRsw9+fxBuyRWdS2ImSPE2SW79wo0L3LY5lCKf+hEOqCb ltbWH5WBcDP5C2D2frhxS7pyRfNJG6Gx+ysoxpK9qtAIUMSS8szq6YIWUTXhOTis4Y1s f5U4+DX6Vz+wfST+xhnPstePUSuAOH9ZiqcxPTGWYsFHU2Tef9iByaTJxiuPdbfZ74bs XPow==
X-Gm-Message-State: AOAM531CZjIsgOHzpWvq8WgjgWEYUhxZLKYjNFsChvR4NVD0sNiJy2mu e/mVvOxLRcoUsTAN27gPPFNX6OnBZyLlqA==
X-Google-Smtp-Source: ABdhPJzWO85JiKaLsgD73JkU6HQhGGIC1R7A7YlRSdPN1kaIyMr3JstJ6qjax8p43JRT2cdeCQKwcA==
X-Received: by 2002:a63:d814:: with SMTP id b20mr9013556pgh.202.1609171067407; Mon, 28 Dec 2020 07:57:47 -0800 (PST)
Received: from mike-mac.lan ([107.182.37.0]) by smtp.gmail.com with ESMTPSA id t36sm34155342pfg.55.2020.12.28.07.57.46 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 28 Dec 2020 07:57:46 -0800 (PST)
To: dmarc@ietf.org
References: <20201218023900.E73B82ACBB2B@ary.qy> <3997c81d-3b30-0823-a752-fb1d60a44593@tana.it> <74a5c37-19a6-6f6f-a51d-6e5cca5b29e8@taugh.com> <CAJ4XoYdXWTgADpdL1eJuYGnpSY038vj-FW_x1f2rEp1JL0r2oA@mail.gmail.com> <01RTICXKLL3E0085YQ@mauve.mrochek.com> <c5f7413e-52c1-6710-16e5-63f59d2c24b9@taugh.com> <CAL0qLwYDeV9CmFg9qCCGPse00JV30WRiSC4orC-EitK=hiahgA@mail.gmail.com> <a79dd75-4d73-d1dc-d6b1-272de866b950@taugh.com> <CAL0qLwZXu3FxH7QGBS7PGbeDwfDTGmC=rbPEQidVV4eDJNHLUA@mail.gmail.com> <CAJ4XoYeK2cJb+easc=mqCi4ap1932LmbDdfxM1dFZKrdo2a2mw@mail.gmail.com> <acfe3d9e-97eb-50ee-26a2-568fdd8359dd@taugh.com> <CADyWQ+GJ62jt=dL9Gzuw_O7USNbS=86BqAzu8Rdv9sCb5OpCdw@mail.gmail.com> <d4a00be5-bd61-0c05-3431-8d56b39a3550@tana.it> <8813331f-f5e4-faa5-c6d-11212fc25797@taugh.com> <CAHej_8kpT2ooFoJdsj1X+AV90HEA29yABJVp+EhrpJNXxWpnOA@mail.gmail.com> <CAJ4XoYdFHZEras4JC5K04i+PAukWCTBBnwr0zw_CYwDOAe6Sng@mail.gmail.com> <CAHej_8kw6JV-wQKOs1yd_z0RsZe=wuew2+ZSJrmY35j-VCcwFw@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <3cd0c105-4864-2cbc-7d4c-3a27ccb2dce4@mtcc.com>
Date: Mon, 28 Dec 2020 07:57:45 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAHej_8kw6JV-wQKOs1yd_z0RsZe=wuew2+ZSJrmY35j-VCcwFw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------134BB9B2743E67C47E787049"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/2vSYkgSuvRwsmW8XqwpUkYnFUb4>
Subject: Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2020 15:57:50 -0000

On 12/28/20 7:48 AM, Todd Herr wrote:
>  not a lawyer, but providing A with some information about a message 
> that A sent to X seems different, from a privacy perspective, than 
> providing A with some information about a message impersonating A that 
> B sent to X, and I thought perhaps the generic warning might mention 
> this distinction, if possible. Something like:
>
>     Security considerations
>
>     Failure reports provide detailed information about the failure of a
>     single message or a group of similar messages failing for the same
>     reason. They are meant to aid domain owners to detect why failures
>     reported in aggregate form occured. It is important to note these
>     reports can contain either the header or the entire content of a
>     failed message, AND THAT THE DOMAIN OWNER RECEIVING THE
>     REPORTS MAY NOT BE THE ORIGINATING PARTY FOR THE MESSAGE(S)
>     REFERENCED IN THE FAILURE REPORTS. IN ANY CASE, THEY may contain
>     personally identifiable information, which should be considered
>     when deciding
>     whether to generate such reports.
>
>

This is a tempest in a tea pot. This is an issue with the originating 
domain and nobody else. They can send it to a third party even if the 
url lists them to receive the report first.  The receiving domain can't 
know what they will do with the report, and the originating domain has 
already seen the mail in clear text before it was sent. IETF should stay 
out of the business of being nannies that it has no way to enforce.

Mike

v2.23.0 | Report a Bug | By Email