Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports

Dave Crocker <dcrocker@gmail.com> Tue, 05 January 2021 20:48 UTC

Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D4833A11F0 for <dmarc@ietfa.amsl.com>; Tue, 5 Jan 2021 12:48:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.36
X-Spam-Level:
X-Spam-Status: No, score=-2.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.262, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5rp1adEdc6q for <dmarc@ietfa.amsl.com>; Tue, 5 Jan 2021 12:48:55 -0800 (PST)
Received: from mail-pj1-x1030.google.com (mail-pj1-x1030.google.com [IPv6:2607:f8b0:4864:20::1030]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BB393A11EA for <dmarc@ietf.org>; Tue, 5 Jan 2021 12:48:55 -0800 (PST)
Received: by mail-pj1-x1030.google.com with SMTP id lb18so347926pjb.5 for <dmarc@ietf.org>; Tue, 05 Jan 2021 12:48:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=btW3z7ME5UeuF2gE1nsPbfIf9JaYWdy4iBn11cUwlXw=; b=C0V3jhgLO+Kv0y1WvQ1OBMvYezSvWSVgU1RjhvEBrQkJ9q4zpNRR75G4HjJoa80usl kuW+X821VRjxtydjKwwpB1omVQc1K/bvEHO1A78Z9KhETRzyCfOJVWtwS38GsNf5eP3d bNzH2Ql5ynIf1aIUkqMYa561qYrLdihfSN2oXKT3VAj31tgBM4Rv2EZK7YpR29db6FHj sGAAAZGMC0uxCVHTEIRaH5Uz05d8ajVJplfqt1EDDUXraPzqH1TgBQ1vKDIdBipb0es7 dxwtep47r69JkDu84pIwk/vi3EVRGJe59zwLw1/sGD8VE2a5oIQGOXKwMYc0wcC6Th7p OT8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=btW3z7ME5UeuF2gE1nsPbfIf9JaYWdy4iBn11cUwlXw=; b=mnMbBHFYcE9ZaQHdqBcmcOw2WiaYve1JNz5rCA1D+QrFzdQqTiroRLzyZ8O5BRf1nu x9OjE3S5HHi2OENzkQ7vl/VQVHroDXzYMOZ+v7gwvniGdbxnaInLAnxwvZ/GxdeNEHQb lBnVYGJtCBHliUufh2yvAlvI0IGTAoR8NtmAe3fnKN75Rg+Pxq7TfAa/NR43lU+cJe4+ UKyxNV3wcwoyR/5KOdzoCDtY9VDcZkB30tiIvpTrjuY+Zor3c7i722zRV2aExWawkvcl K+Cpv9lKKY2Ab2iis3Vn3/R57tFqs3LglAAiWtGMAiLDWQyKffsKeXe6SJYJ4GGXOil/ O5GQ==
X-Gm-Message-State: AOAM531ECLl6gXL4FB714+hMGPPbR0R8fDliI8vzSXCQxxUX9R2yhmSK bYu5LriHYVNteSlNFWJdFb69zhUcwzU=
X-Google-Smtp-Source: ABdhPJz/zvpCrpDrPos3VXoLuSy76vXMxKZBLsu70AofTST9DIVVzR1d3g0OTS0Ir2rxpwZcKsEBjA==
X-Received: by 2002:a17:90a:fb8a:: with SMTP id cp10mr963928pjb.136.1609879734570; Tue, 05 Jan 2021 12:48:54 -0800 (PST)
Received: from [192.168.0.109] (c-24-130-62-181.hsd1.ca.comcast.net. [24.130.62.181]) by smtp.gmail.com with ESMTPSA id d20sm4143051pjz.3.2021.01.05.12.48.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 05 Jan 2021 12:48:53 -0800 (PST)
To: Michael Thomas <mike@mtcc.com>, dmarc@ietf.org
References: <20210104174623.2545154CFF9F@ary.qy> <FD45F9FC-46B0-40A9-ADC6-DDD7650D62F2@bluepopcorn.net> <ae77d9f-6f63-16ca-903a-7cb463a7b58d@taugh.com> <CABuGu1o2t7WaEOh+nsx3_MRUGgGHqKHzQ9302FM9-HL0GxvJvA@mail.gmail.com> <f15c8f53-8075-99a1-83c7-f687200e6a94@gmail.com> <f640ee95-ba0a-6aa7-1a14-2af1db151e27@mtcc.com> <050e8614-c088-a165-a733-35c5eee52eed@gmail.com> <cd3a41e8-cc4f-05eb-5c86-47b0047e8d08@mtcc.com>
From: Dave Crocker <dcrocker@gmail.com>
Message-ID: <d9e23994-8666-5c3f-3e42-9a12a2ed6daf@gmail.com>
Date: Tue, 05 Jan 2021 12:48:52 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <cd3a41e8-cc4f-05eb-5c86-47b0047e8d08@mtcc.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/BhSauaEiNEwZgAqxgqgXRrJdLXs>
Subject: Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 20:48:57 -0000

On 1/5/2021 12:11 PM, Michael Thomas wrote:
> On 1/5/21 12:04 PM, Dave Crocker wrote:
>>
>> 1. I've looked back over his postings to this mailing list and am not 
>> finding the link you refer to.  Please post it (again).
>>
>> 2. A single study is unlikely to be definitive about much of anything.
>>
> https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf
>
thanks.

How carefully did you read the details?  While I suppose the study is a 
bit interesting, it's a very long way from serving as definitive 'proof' 
of much of anything.


> Actual data, actual experiments. Finally. And it's a lot better than 
> all of the conjecture here which is the currency of the realm.
>
You might want to review the actual semantics of the statistical methods 
used for actual experiments.  They don't mean what you seem to think 
they mean. In particular note that the focus of such semantics is on 
negatives, rather than positives.  It's the reason that conclusions 
about affirmative statements require a constellation of studies.


> I use my inner Luddite to use all of the time. It's one of my skills. 
> But an MUA designed with security in mind with its UI would go a long 
> way too. From re-writing is exactly the wrong thing to do from a 
> security standpoint though.

That's been a regular refrain, for decades. Odd that we do not yet see 
actual efficacy, after all that... conjecture.

By now, there should be that constellation of compelling evidence for 
the efficacy of visual indicators with average recipients.


d/

-- 
Dave Crocker
dcrocker@gmail.com
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crocker2@redcross.org