Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)

Barry Leiba <barryleiba@computer.org> Thu, 06 May 2021 14:16 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 134013A23CA for <dmarc@ietfa.amsl.com>; Thu, 6 May 2021 07:16:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nCoF1lW17jCd for <dmarc@ietfa.amsl.com>; Thu, 6 May 2021 07:16:21 -0700 (PDT)
Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CF293A23C6 for <dmarc@ietf.org>; Thu, 6 May 2021 07:16:21 -0700 (PDT)
Received: by mail-lf1-f44.google.com with SMTP id c3so8006684lfs.7 for <dmarc@ietf.org>; Thu, 06 May 2021 07:16:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=4yDhoQBh7oGOnxQEAKRdjMra6Mv1X2LejkK2pQ/t7E0=; b=k5QcCkKZ1fG1Z7vQwGNRwXfUGWoICMXBrYg/4bUtN7xmBtx938GhlJO6pQMU8/86SM P/IRZ5vpRSB43RICZTk44ht4T2TQfXFlrsb3HvqSbWxNjV8miuv994OdGiPApbgtVn73 fDPyp4cbkx6nmR85m2/As5koKedzgFA+vSls/KsM/QTZhXsXcFV0ynO84HCbDvPzA+Qi GRcueeU44Sn01ZhWBMH71GKrehDQ04XL420vNVpKTXzUZL3/OqqjwL+XraXEa4DAq8rS FQBxodVpoyC2QqyXVf4q07KDrAaPwZPucSzHI0JPbAk/Wmo3xa4ttebKqFfQl29WHyks wPsQ==
X-Gm-Message-State: AOAM5320Meb5+BVAm2KKHUBeaoZ7aB6HLFSvxCyZj996FTjvzhBerqgQ ck6sjZiYKydqp0PAOy5B6fCGZ0WqilhS+uT0DnPTo40ifPk=
X-Google-Smtp-Source: ABdhPJzKWPhRBNFURyuOTb4V7eFR7WoHG8COAfERkC1UIGZ8B76wKU+5NDTRBh9yRByT2mEuhsnwGJjKtTivwk6wxd0=
X-Received: by 2002:ac2:491c:: with SMTP id n28mr575832lfi.123.1620310578452; Thu, 06 May 2021 07:16:18 -0700 (PDT)
MIME-Version: 1.0
References: <20210502203007.2AE156284F0@ary.qy> <215690a6-2b04-3355-9999-816a1c3d7126@heeg.de> <70E22447-47F6-4B92-B47F-664A81107836@wordtothewise.com> <CAH48Zfy0_jvDAtwQ+MrK4kk=J1iqO=6z1+ToBPiAOYeJ5qWHyg@mail.gmail.com> <692CBE21-4222-4353-8D03-EE4B287405EF@wordtothewise.com> <CAH48ZfzH24kw9Rn8t_r-WmsBVQKcrNnV9Px0Gr7ufJcSncmUuQ@mail.gmail.com> <e9b5abbc-08b3-111a-9563-37a742c72ff3@tana.it> <MN2PR11MB43519672C6029A3FE916C0A1F7599@MN2PR11MB4351.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB43519672C6029A3FE916C0A1F7599@MN2PR11MB4351.namprd11.prod.outlook.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Thu, 6 May 2021 10:16:06 -0400
Message-ID: <CALaySJJa+LWRmhKUxSBXa-Vbx6uf4pzgfQZ0cZ=KUGP3EWhWJw@mail.gmail.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/EQCdI5l-RyaH-Z9pMH910JcIOls>
Subject: Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 May 2021 14:16:26 -0000

Chair weighing in, as chair:

We're divided in the sense that there are some who want to add this
information, but as I see it the rough consensus is not divided:
- This is extra information that's being proposed... so, a new
feature.  That requires rough consensus to add it.
- Serious privacy issues have been raised with respect to adding that
information.
- No refutation of those privacy issues has been given, and no
adequate mitigation has been proposed.  The suggestion of requiring a
minimum level of aggregation is insufficient, as there's ample general
evidence that privacy leaks survive aggregation.
- We therefore do not have rough consensus to add this.

The chairs, therefore, declare this issue closed.

I'll also note that the IESG *will* bring up the privacy issues and
would very likely block the document on those grounds.  I don't think
we want to go there.

Barry

On Wed, May 5, 2021 at 9:18 PM Brotman, Alex
<Alex_Brotman=40comcast.com@dmarc.ietf.org> wrote:
>
> Are we divided?  Seems like use cases have been noted.  However, removing these completely protects some aspects of privacy.  Could we perhaps err on the side of caution, removing these definitions, and leave a note to suggest that if domain holders need further assistance to reach out to the report generator. The generator can then make decisions about how much information to expose.
>
> --
> Alex Brotman
> Sr. Engineer, Anti-Abuse & Messaging Policy
> Comcast
>
> > -----Original Message-----
> > From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Alessandro Vesely
> > Sent: Tuesday, May 4, 2021 5:07 AM
> > To: dmarc@ietf.org; Douglas Foster
> > <dougfoster.emailstandards@gmail.com>
> > Subject: Re: [dmarc-ietf] Recipient domain in aggregate reports (#23)
> >
> > Doug,
> >
> >
> > On Mon 03/May/2021 14:25:54 +0200 Douglas Foster wrote:
> > > No.  I can't talk straight.
> > >
> > > I meant to say that we need N unique (and valid) smtp TO addresses, so
> > > that an attacker cannot send a single email address and wait for an
> > > rua report to know where it lands.
> >
> >
> > A simple positive DSN can confirm email addresses better than elaborate
> > DKIM design.  To confirm delivery is usually not considered a privacy
> > violation, given that the sender learned the recipient's address.  Privacy
> > violation occurs when senders track the recipient's opening of each message,
> > which is typically obtained by inserting unique images in HTML messages.
> >
> > Avoiding to reveal final email addresses requires various precautions, which,
> > if I understood what Laura wrote, can be put into effect on forwarding.  I
> > would *add to the Privacy Consideration section* that, due to reporting,
> > changing the envelope from is not enough, From: has to be changed as well
> > in order to forward without revealing the final address.
> >
> >
> > > Valid addresses are needed to hinder usage of bogus addresses to defeat
> > the test.
> >
> >
> > However, the aggregate report counts the number of messages, not the
> > number of recipients.
> >
> >
> > > Requiring aggregation on DKIM selector follows the sane logic to hinder
> > > tracking an individual.
> > >
> > > Using DKIM selectors for tracking will also put a huge load on DNS if
> > > implemented at scale, so it needs to be obstructed.
> >
> >
> > I think mass mailers have better means to track recipients.  But I agree that
> > to generate, publish, retrieve and report million DKIM selectors would be
> > somewhat impractical.  Putting a limit on aggregate report size (even if not
> > requested by the report consumer) can prevent excessive disaggregation.
> >
> >
> > > It is also not enough to null the DKIM selector; the null aggregate still needs
> > > to meet the N recipient requirement.  If not, then additional selectors need
> > to
> > > be nulled or the nulled-selector messages need to be completely excluded
> > from
> > > the report.
> >
> >
> > Most reports I send have <count>1</count>, given my volumes.  Yet, by
> > aggregating many of them one could reach significant sums.
> >
> >
> > > If the To domain is included in the report, the aggregation rules should still
> > > apply.  If they cannot be met, then the To domain must be nulled out or
> > the
> > > report not sent.
> >
> >
> > This is a recipient's choice.  If I wanted to stay anonymous, I'd use a domain
> > like gmail.com rather than tana.it.
> >
> >
> > > I favor making To domain an option which the owner domain requests and
> > the
> > > sending domain chooses to follow or ignore.  This provides upward
> > > compatibility.  The request for this data element keeps coming up.  The
> > > protocol can allow flexibility so that the participants make the final decision.
> >
> >
> > It is already optional in the I-D.  (Not that I find it useful.)
> >
> >
> > > I asked previously whether report senders do any filtering based on
> > domain
> > > reputation, and the answer was "probably not".  I think the specification
> > > should encourage recipients to omit reporting to sources with negative
> > > reputations, as their motive for report collection may be unrelated to
> > > self-identification.
> >
> >
> > Some receivers cannot report mail discarded during early SMTP phases at all,
> > for example because the DMARC filter is run after the end of data.
> >
> >
> > > I want the protocol to address all of Laura's concerns.  I think ensuring
> > > aggregation is the best way to do this.
> >
> >
> > DMARC cannot address those concerns directly, IMHO.  However, it can note
> > under
> > what conditions aggregate reporting doesn't violate privacy.  It is especially
> > useful to note that, in most cases, aggregate reports do NOT constitute a
> > privacy risk.
> >
> >
> > Best
> > Ale
> > --
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > dmarc mailing list
> > dmarc@ietf.org
> > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dmarc
> > __;!!CQl3mcHX2A!R7ZKTY4HhF1wSMZwpruVsXIE5-
> > EtRxdlYaxRVkylrlTKnqYLGf-PSpD4ChOUaRGFE27SBql-1Q$
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc