IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports

Alessandro Vesely <vesely@tana.it> Wed, 23 December 2020 09:16 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B7C73A0C93 for <dmarc@ietfa.amsl.com>; Wed, 23 Dec 2020 01:16:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R8JKC9McjZkC for <dmarc@ietfa.amsl.com>; Wed, 23 Dec 2020 01:16:03 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 971C63A0C90 for <dmarc@ietf.org>; Wed, 23 Dec 2020 01:16:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1608714959; bh=4kR8FKVIZd028KMWFfSWvXGyiPx6N6QStwT/1qiPdDs=; l=1833; h=To:References:From:Date:In-Reply-To; b=CDfD3sHnZGrEF4PUYautXzUsoDeznCDYvM3QTF3uRN/TNOD+LVgCmYAkk0l4RjoG8 mj64kD8AGUT1YK9TJY5+ZAwti1/mUJBNzgtRmB0St61g4hW36ho7wTeDQCwS20yWuE vFnrWHxV2ZIaw9JKt8mqdxRZrTVCiwBtg3odgjkXTkD5HX6A99mTod9VDv/h8
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC083.000000005FE30ACE.000053D1; Wed, 23 Dec 2020 10:15:58 +0100
To: dmarc@ietf.org
References: <20201218023900.E73B82ACBB2B@ary.qy> <4a43ffaa-3987-c892-cce7-56f18888cdf5@tana.it> <39125012-e356-d62d-36fd-a7ff25a9f59f@taugh.com> <e6880ba9-f5f3-1050-25c0-658551187512@tana.it> <6bba023-d3d9-63a5-8441-11dac9a05e28@taugh.com> <74051a64-871a-db72-b5d9-1be374e23015@tana.it> <a323077-9b64-555b-3561-62cdc93819fd@taugh.com> <a8281e16-9417-5189-df73-79ea0a865fbd@tana.it> <c713b9ae-a364-1ae0-e79-55f61624aa3d@taugh.com> <3034face-b6fc-0ce2-fa1b-f59210bd6f5b@tana.it> <46339b38-3b24-bcb7-5e73-8a97038ed69@taugh.com> <3997c81d-3b30-0823-a752-fb1d60a44593@tana.it> <448eeae1-2d82-91d3-4adf-cb547acd427a@mtcc.com> <c929bfa4-9b32-5099-01fa-078c56191571@tana.it> <0bf9fb2e-9974-4db3-3165-78508de3547c@mtcc.com> <44d92626-a13c-64e7-b1de-07cd50b1fd20@tana.it> <fff265af-16c0-9d75-c92f-ee438ae088b5@mtcc.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <74b57d51-1ec3-dd48-7747-a57a7d74c709@tana.it>
Date: Wed, 23 Dec 2020 10:15:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <fff265af-16c0-9d75-c92f-ee438ae088b5@mtcc.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9jNWeBN4Q_4a1nYZL69WhdF_HgM>
Subject: Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Dec 2020 09:16:06 -0000

On Tue 22/Dec/2020 20:41:06 +0100 Michael Thomas wrote:
> On 12/22/20 10:59 AM, Alessandro Vesely wrote:
>>
>>> Sorry, having to ask for permission because of laws does not constitute a 
>>> "severe privacy concern".
>>
>> Except in the sense that they're called privacy laws.  Do you have a better 
>> wording?
>
> I don't know what was wrong with the initial text. But it most certainly is not 
> a "severe privacy concern", especially if it is the originating domain getting 
> the report. It already saw the original message in the first place assuming it 
> wasn't spoofed, and if it was spoofed they are entitled to see it for forensics 
> if the receiving domain is willing to send it to them.


It may happen that the ruf= address ends up at the same submission server that 
issued the original message, but that's not guaranteed.  John mentioned a real 
example.


>>> That is completely outside of the scope of IETF and we should be pandering 
>>> to it.
>>
>> Making specifications that cannot be legally abided by is in IETF scope?
>
> If the laws are unreasonable? Sure. We're not putting backdoors in for 
> encryption either. It's their laws, let them figure it out.


Failure reporting is rather akin to backdoors, in the sense that it can be used 
for pervasive monitoring.  IMHO, GDPR is long winded and lacks practical design 
elements that could have inspired privacy-protecting protocols, but its intent 
is certainly not unreasonable.


> But you said that providers can get people to opt in, so that seem moot.


I'd recommend that software implements failure reporting, leaving it disabled 
with the possibility to enable it by domain in case of need.  However, such 
recommendation would be an addition to the protocol, so it is not going to make 
it to the spec.


Best
Ale
--

v2.23.0 | Report a Bug | By Email