Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns

"Brotman, Alex" <Alex_Brotman@comcast.com> Wed, 17 February 2021 18:40 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85D953A0D74 for <dmarc@ietfa.amsl.com>; Wed, 17 Feb 2021 10:40:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WoDF9-YFrw4h for <dmarc@ietfa.amsl.com>; Wed, 17 Feb 2021 10:40:53 -0800 (PST)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4FB73A0D63 for <dmarc@ietf.org>; Wed, 17 Feb 2021 10:40:53 -0800 (PST)
Received: from pps.filterd (m0184893.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 11HIQL32024420; Wed, 17 Feb 2021 13:40:53 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=20190412; bh=QRnYhhmQg54MRPVp7in5nuP7ATAGjl7yesegrClucAE=; b=dpvXTG7mQmlEr0kMh3d6P6j0ouBKbOpRYtAbNfA6K9mzdWlLL6DYR52QU4KqlmiOQpl7 NOrCNX0qMkEOqKIa+e4bcZbG5xQwG7MMB1L+HtJHc53wRrEYp3UbPk/UNr32juzAefYu anWAKcUHS4nBRUD9tkPpypyzzmsPTepkpteOqApXyhmg0Aqy5QBnNzTzlYgylNNgE6ku AI2IVavz5aYy8G2p2GRSvEwEvN27moOFb7CXVrj7TMrjhSkqszMPWaAgM+8fE/4YXMm6 ioW2yNcM6hro8rQBc9DHljKUFybcaxv4L3k2vPBTR/wbqbwDULqfK6c7AvvNwj1RoEox Hg==
Received: from pacdcex55.cable.comcast.com (dlppfpt-wc-1p.slb.comcast.com [96.99.226.136]) by mx0a-00143702.pphosted.com with ESMTP id 36patn421r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 17 Feb 2021 13:40:52 -0500
Received: from PACDCEX49.cable.comcast.com (24.40.2.148) by PACDCEX55.cable.comcast.com (24.40.2.154) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 17 Feb 2021 13:40:50 -0500
Received: from PACDCEXEDGE01.cable.comcast.com (76.96.78.71) by PACDCEX49.cable.comcast.com (24.40.2.148) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 17 Feb 2021 13:40:50 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.171) by webmail.comcast.com (76.96.78.71) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 17 Feb 2021 13:40:24 -0500
Received: from MN2PR11MB4351.namprd11.prod.outlook.com (2603:10b6:208:193::31) by MN2PR11MB4632.namprd11.prod.outlook.com (2603:10b6:208:24f::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.29; Wed, 17 Feb 2021 18:40:13 +0000
Received: from MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::2495:cfaf:88ca:6b2d]) by MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::2495:cfaf:88ca:6b2d%7]) with mapi id 15.20.3868.027; Wed, 17 Feb 2021 18:40:13 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: Alessandro Vesely <vesely@tana.it>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns
Thread-Index: AdcBfLdYcAd1ycC0TvWJKBD11cOyegCIhNKAAG9eXXA=
Date: Wed, 17 Feb 2021 18:40:13 +0000
Message-ID: <MN2PR11MB435129E4F5DA8C8EC141E9E9F7869@MN2PR11MB4351.namprd11.prod.outlook.com>
References: <MN2PR11MB435185A171029EF4282A2BF4F78B9@MN2PR11MB4351.namprd11.prod.outlook.com> <7086a5e4-2a9c-bbdc-1969-f77d0d00fa38@tana.it>
In-Reply-To: <7086a5e4-2a9c-bbdc-1969-f77d0d00fa38@tana.it>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: tana.it; dkim=none (message not signed) header.d=none;tana.it; dmarc=none action=none header.from=comcast.com;
x-originating-ip: [2601:43:101:380:c4e0:d169:12f5:37d8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0e074d3d-4361-4225-73ce-08d8d373766c
x-ms-traffictypediagnostic: MN2PR11MB4632:
x-microsoft-antispam-prvs: <MN2PR11MB463297513FFE4785C4C2AC20F7869@MN2PR11MB4632.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cG4kjoAcacxVDJngbQLd//dkqzEkZl+WyUPNeejXb+7IRoQu77MQIM7u/b18e9KaD7Gq11pyBtiEFn32DOlXUvidSvJF6uE7eHZPaS38rDn1PLu6sGn0L2FUhfjjMmLbdDIsByTfRmu+Hm/dbw6iv/oocY1npONdmH81pVQqkHRxblHbSQwmVBgRFTRT9F0c8zcL6H0iqOenOrLWclMuMTYp2MOk+Wj7ZFmAbqpQDywAJdkyEIN+cAHbSnt0L5/OOxCD/p58zlnksolt6Zf7JjS8cW7Fw7v+Oue3PM4EyWGrHv+PLABYl1du+NPR9PCXFN0zKAJ/Pz3H0Tfs50mWMVbzel9lewKW1wRSIRmT4FDK2nlGbA6oyAMukdR6c1omOziE00YJu02oUmisgejdtZNG4Y8/I30iI00wfJzcVDt82cmil8C5pOqYLE1nbBjqxqWb/IO7jGC3N7LlNBGheOgjYKNwspAD5foUuHpje13Cq5Go1DwsTyeCLHJoB367Nsn53TnC/i/FXv4Y9DtMotVXo3dkrtpidMi9QJJ6Mxc8MG/qFzDhQ7fsAc1CBH0ho4IPaSB2xJP9O2rj8kb74q+L1VRLyV8L8FUgBiJsgIw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(376002)(39860400002)(396003)(136003)(71200400001)(2906002)(52536014)(110136005)(186003)(76116006)(8676002)(6506007)(64756008)(8936002)(83380400001)(53546011)(478600001)(5660300002)(966005)(66476007)(86362001)(66446008)(316002)(7696005)(9686003)(66946007)(55016002)(66556008)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?5K/N8Pc6dtSP6sJZNXvOy4b8K/r+M/WgWQb6k7dlNyfGZfJZDliQEkmvuV83?= =?us-ascii?Q?pXhXmOQ8oNldXPy7CooFHY2m4MaJX3hAy3NSxIs8zhh6ODCO2RPuI8k1Ae2y?= =?us-ascii?Q?RS7PsKKQjm4cHzgXL9o0CqXrztkJ3x3OsD6vC0zkpYmQKVsB0tLaLbMsu/yj?= =?us-ascii?Q?YDqTObKuEHdj2FUciP2gpbhxuduE1QkyTUIK7OyqjtDGd69/1DSABB+TSLNe?= =?us-ascii?Q?9ZWDL8+HJTCW4ExXQW3l9aGDtt3PTIYrOmpupWlvzrs95moxoRJDHL8QmcAF?= =?us-ascii?Q?K9rRC9GdpzrBQvW6GDp97AJl5bVWtAKIUp+/ZZ8qHRIxKIRj13WqhFWlDHMk?= =?us-ascii?Q?YkcYChci/dVfakNbBD4Dxx9IrOphhyuMqXszZySnPgv2qpFr8ympXVIAXtFE?= =?us-ascii?Q?scmDP35ZTIslk5hgYvbCvcT38GGG5BX01b+M5BN7jEyB0XVx7o+LXJoaBQ4U?= =?us-ascii?Q?iZllg1+ErCuDIk4mczSC3tG/SUJbXROTdm251JlBKAOSVjehq75trCkAFqU6?= =?us-ascii?Q?p2uHH1JrAaqV/Unt1uu3VGfHSnuoXFT22ARwzTplzHPGlCiKQaxsDnx/nhdE?= =?us-ascii?Q?uq/ttHSE01Ekwm/3v5DLZiZiycn/fAnnvFXwqMraCZ4Z3fIGShYEoYomufGf?= =?us-ascii?Q?lkWWV+qC2m9+PfyALYhlMTefHy+peqtD3uHjLWG5+8zFOU6ifUeESFEyS7ws?= =?us-ascii?Q?2vbP9qtvQQHLrNK1Ej8NRtr9UVKh4eqlo6FM1J/nazUH4GmKRAb7LW8giKjl?= =?us-ascii?Q?qnNaOzuY+njLZSyP8X3c5DnpWnSs8xHRSoqT2vEOyTnPjaRorSGZhAg9/4aP?= =?us-ascii?Q?KKz/I5iPIM1Gi/axwlYXy/i01eyq8vVlOTiCa9Ry9qkmQ5AMMqAGtjxACp2T?= =?us-ascii?Q?lKatTFx3iyPvzNVLUOfYBJk6Qdr0wJWG3QXj3E7Ca/ueKms3zbGgd2BgeI65?= =?us-ascii?Q?hoN5NnnsDhtD+PEiCloySf9irDGJPBgyF+CgY2wgTqPryQrGXJxgOCFnonVC?= =?us-ascii?Q?CrykVz3tlJxK8i4dHsHjUyMvjYt7ZYWvTu36VjWBRoifLWRAHCcyLqsPhd15?= =?us-ascii?Q?owwXZO8hYnhGsWaj6FMRAD8vdvq1YV4viNpNiGD+9kfiKs84R8YZKrl1m3x/?= =?us-ascii?Q?AtMhFSM2R7IociPYNbZy5KuSmisDb1/xxbApd5ic9fy7vPOC6MfIRYNM6/Mb?= =?us-ascii?Q?WAHJ1bVURZZlwXN4rX1jxNDb799kASWIKyJHgCyWqDkBfV+t8zAkYn8Sn7hA?= =?us-ascii?Q?X85POR7HcOBq2RWszjGShmjO0Rshc8/8Bdj74xw/R1C3G+QHEkxgpBXlF5+J?= =?us-ascii?Q?3LZX3Y3CUWUqiOm7B5PkjfiJD3U4d3Cs4v9nSZ67L5DBUgabK9OLn/r5QD57?= =?us-ascii?Q?uUmAmUg=3D?=
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LuhX4mqHlVAhFqGHxefMm3Lb0ghfpv4cw6gNo5cGxMy33fcTrR4nHp+X8PlrBsW9WKtpQjsyYwzyXijzl2ZbFkh3cUVJTuISeNvwIgs2l3Lg7VvWGKULQN3fLk6PoW9kZc6HEWwvrujh0iiUwnWFnHoUQDulnI6IKc8YmjL/uJfNgaROk2OXozcAHO6XV7IHNV+fbeo6t/7GcmrUF9Rycu6MmxEcCHko+jUuZs4sUM6yHBDpk2o+5DibsFZuBWyRRoL2aeqnNiIwYePr0tN0N0PXkp5vjzQc17nXoG+5ALrH83ni26RUAOC/+P4aR5vSNSNj/67wWI9b3gBdJ+4UUQ==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JnmGkHWRO9leF3V08GsVl2AJVw8yvKzDoDLpDSmH5so=; b=XtWJi2opYprom+5Baw2XR9FNDbtCov7S9rhPhVuTT0tBWysaQAXUuFsGq92yEhuVxvnTUPXKhttMQblQrVZIqBAHS3GduAUBIaDtFJL1AurZNCARQ5sznl+Ii21DMl+QM1bUl4/FLzZMuGgzvn7XX09GE46OOHhoeIibnz0xFrgsw22yJPIsVBwuhT63jPq4MaGiVECrdk92ftlPssa6jZsGP8u2iHYwDair0u8KqjntvCjR16oAlXUG6oYbzYeeVFUD9mmka0MUK7GcGO19pgHmI1PdITg19x9mfMh19VkZaENCsxWOgBmaF2w4gQXHNa5F65fvmQEXpIcyzePsQg==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: MN2PR11MB4351.namprd11.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: 0e074d3d-4361-4225-73ce-08d8d373766c
x-ms-exchange-crosstenant-originalarrivaltime: 17 Feb 2021 18:40:13.2924 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: aJDCJo5ypJDpnQFdbCW1wNA0E8dR+M679q1K5FvNCUJIIiFK5Fjqf85X5cbBMQgK02IWPAo0Z75EnsWqhlifeHnQ1e8yTpJww6Om54gSFpI=
x-ms-exchange-transport-crosstenantheadersstamped: MN2PR11MB4632
x-originatororg: comcast.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward AAETWB
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-17_13:2021-02-16, 2021-02-17 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/GKoqRt2HyWDh2-vL8sP1mIdgRl0>
Subject: Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 18:40:56 -0000

Incorporating some feedback:

-------------------
## Data Contained Within Reports (Tkt64)

Within the reports is contained an aggregated body of anonymized data pertaining
to the sending domain.  The data is meant to aid the report processors
and domain holders in verifying sources of messages pertaining to the
DMARC Identifier.  The data should not contain any identifying
characteristics about individual senders or receivers.  An entity
sending reports should not be concerned with the data contained as
it does not contain personal information, such as email addresses or
usernames. There are typically three situations where data is reported to
the aggregate receivers: messages properly authenticated, messages that fail to
authenticate as the domain, or messages utilizing the DMARC Identifier that
have no authentication at all.  In each of these cases, there exists no identifying
information for individuals, and all content within the reports should be related
to SMTP servers sending messages posing as that domain.
-------------------


--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

> -----Original Message-----
> From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Alessandro Vesely
> Sent: Monday, February 15, 2021 8:31 AM
> To: dmarc@ietf.org
> Subject: Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns
>
> On Fri 12/Feb/2021 21:30:38 +0100 Brotman, Alex wrote:
> > Hello folks,
> >
> > In ticket #64
> (https://urldefense.com/v3/__https://trac.ietf.org/trac/dmarc/ticket/64__;!
> !CQl3mcHX2A!W97hZ0-
> iwRDi8wBssmRFF6OycVE12vM3xhGd9BmLhEzi6Vycp3bgzwji21xLQQgnnMRa
> BuxGQg$ ), it was suggested that a Privacy Considerations section may
> alleviate some concerns about the ownership of the data.  I created an initial
> attempt, and thought to get some feedback.  I didn't think we should go too
> far in depth, or raise corner cases.  Felt like doing so could lead down a rabbit
> hole of trying to cover all cases. This would go within a "Privacy
> Considerations" section.
> >
> > * Data Contained Within Reports (#64)
> >
> > Within the reports is contained an aggregated body of anonymized data
> > pertaining to the sending domain.  The data is meant to aid the report
> > processors and domain holders in verifying sources of messages
> > pertaining to the 5322.From Domain.
>
>
> I'd replace all those 5322.From Domain with main DMARC identifier.
>
>
> > The data should not contain any identifying characteristics about
> > individual senders or receivers.
>
>
> The aggregated data refers to names and IP addresses of SMTP servers.  It
> cannot be used to identify individual users.
>
>
> >  An entity
> > sending reports should not be concerned with the data contained as
> > it should not contain PII (NIST reference for PII definition), such as email
> addresses or
> > usernames.
>
>
> I'd substitute /should not/does not/.  Even if a server has a unique user, the
> domain name and the IP address are those of a public entity, not those of a
> private citizen.
>
> The term Personally Identifiable Information (PII) is US-national.  I think
> just personal information is of broader use.  Personal data is also a valid
> alternative.
>
>
> jm2c
> Ale
> --
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/dmarc
> __;!!CQl3mcHX2A!W97hZ0-
> iwRDi8wBssmRFF6OycVE12vM3xhGd9BmLhEzi6Vycp3bgzwji21xLQQgnnMTF6
> fzPKA$