IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis Privacy Considerations was: Re: I-D Action: draft-ietf-dmarc-dmarcbis-17.txt

Scott Kitterman <sklist@kitterman.com> Tue, 30 August 2022 21:34 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41FB1C1522A7 for <dmarc@ietfa.amsl.com>; Tue, 30 Aug 2022 14:34:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=4XDDwv9L; dkim=pass (2048-bit key) header.d=kitterman.com header.b=HBuD5dwd
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uly5UGtgRsqu for <dmarc@ietfa.amsl.com>; Tue, 30 Aug 2022 14:34:22 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B145C14CF08 for <dmarc@ietf.org>; Tue, 30 Aug 2022 14:34:21 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id D1138F802D1 for <dmarc@ietf.org>; Tue, 30 Aug 2022 17:34:18 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1661895258; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=d+U7huNertrD0sfsM1V/FzLAAyYU2+SsbggPyc1EH0I=; b=4XDDwv9LPaHb4HV5LfJIRe592eun/UKMqx56MM0mhfMeKf5L/uj7kOvxF6vb4Hdv9v9BZ UO9BRdWRy/wFhdvBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1661895258; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=d+U7huNertrD0sfsM1V/FzLAAyYU2+SsbggPyc1EH0I=; b=HBuD5dwd5nM+AdtEI8zW0G0Va6gVbi3EcbG4ItdvT1f36V/dir1zjRz+gthdyFWUmphNt xKpyx6EVjHx3jpAqfF6WXnWkx3nZksoVqxSDxIZV3VD4SqmolAZXwB0N3UIiL1zE4U7bqD+ uwKtVosingdsYJ7sxxZwxCW7Z2rma8BNUSBM+jen+485Imo8XbIdlsbM7n5ndMxZxSaJJvf U8eY5XtdFLeXFCipQ2PhHJUbbzTogb/pjYv+kT8Z4VGzRaJVp5LdPqt9jiSIgahBqtZ120y /y1o6XLEhogI/TIgA6cNfN/YXWISOT45nAzsawr9LQbLYHXeut7N3VvwCUHg==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id B6E0EF80153 for <dmarc@ietf.org>; Tue, 30 Aug 2022 17:34:18 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Tue, 30 Aug 2022 17:34:18 -0400
Message-ID: <4933355.f5WRtcxpSY@zini-1880>
In-Reply-To: <2969398.fzCzL4EFEC@zini-1880>
References: <166178507559.47631.2900016221052924761@ietfa.amsl.com> <4015891.JFzxAWuYz4@zini-1880> <2969398.fzCzL4EFEC@zini-1880>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OCy7mO9jDVYakvHOs6ro_p3-9MA>
Subject: Re: [dmarc-ietf] DMARCbis Privacy Considerations was: Re: I-D Action: draft-ietf-dmarc-dmarcbis-17.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2022 21:34:26 -0000

On Monday, August 29, 2022 12:27:11 PM EDT Scott Kitterman wrote:
> On Monday, August 29, 2022 11:09:50 AM EDT Scott Kitterman wrote:
> > On Monday, August 29, 2022 10:59:55 AM EDT Todd Herr wrote:
> > > Version created from the pull request John mentioned on-list on August
> > > 28.
> > 
> > Thanks.
> 
> ...
> 
> > Also, I am reminded that since this document will obsolete RFC 9091 if
> > approved, we need to incorporate the Privacy Considerations from that
> > document instead of referencing them.  I'll prepare a recommend change for
> > that.
> 
> I looked into this a bit and it turns out to be more complicated than I
> expected.
> 
> Currently DMARCbis has no Privacy Considerations section at all.  Generally,
> I think this is correct since the DMARC relevant privacy issues are tied to
> reporting, which is in separate drafts.  I do think though that since we
> are covering all aspects of DMARC record publishing in DMARCbis, there are
> a few specifics that should go in the main draft with pointers to the
> reporting drafts for relevant details.
> 
> RFC 9091 Privacy Considerations (which are currently incorporated by
> reference in DMARCbis) say that for PSDs, feedback MUST be limited to
> Aggregate Reports.
> 
> I think it would be appropriate that DMARCbis have a short Privacy
> Considerations section which points out that putting an rua or ruf tag in
> your DMARC record may have privacy implications for organizations with
> pointers to the reporting drafts for details.  I would include something
> like if psd=y, MUST NOT also have an ruf= value in DMARCbis.
> 
> The bulk of the RFC 9091 Privacy Considerations text would then go in I-
> D.ietf-dmarc-aggregate-reporting.  All that would be needed in
> I-D.ietf-dmarc- aggregate-reporting Privacy Considerations is a relatively
> simple admonition to not send failure reports for PSDs.
> 
> If that seems reasonable to people, I'll prepare specifics for review.

No one complained, so off I went.  I've prepared an update in git (that I will 
shortly submit as a PR).  The bulk of it is to add a new Privacy 
Considerations section.  That's provided below.  The full diff is at:

https://github.com/kitterma/draft-ietf-dmarc-dmarcbis/commit/
e27a0aa41f4d33c52c1c03710eda3c7bbc592002?diff=split

I'd like to propose that unless the group turns out to think this is 
completely horrible, we go ahead and accept it as a basis for further work, 
since something is generally easier to edit than nothing.  Additional changes 
will be needed for the reporting drafts.  I'll work on those once this is 
settled a bit.

# Privacy Considerations {#privacy-considerations}

This section discusses issues specific to private data that may be
included if DMARC reports are requested.  Issues associated with
sending aggregate reports and failure reports are addressed in
[@!I-D.ietf-dmarc-aggregate-reporting] and
[@!I-D.ietf-dmarc-failure-reporting] respectively.

## Aggregate Report Considerations {#aggregate-report-considerations}

Aggregate reports may, particularly for small organizations, provide some
limited insight into email sending patterns.  As an example, in a small
organization, an aggregate report from a particular domain may be sufficient
to make the report receiver aware of sensitive personal or business
information.  If setting an rua= tag in a DMARC record, the reporting
address needs controls appropriate to the organizational requirements to
mitigate any risk associated with receiving and handling reports.

In the case of rua= requests for multi-organizational PSDs, additional
information leakage considerations exist.  Multi-organizational PSDs that
do not mandate DMARC use by registants risk exposure of private data of
registrant domains if they include the rua= tag in their DMARC record.

## Failure Report Considerations {#failure-report-considerations}

Failure reports do provide insight into email sending patterns, including
specific users.  If requesting failure reports, data management controls
are needed to support appropriate management of this information.  The
additional detail available through failure reports (relative to aggregate
reports) can drive a need for additional controls.  As an example, a
company may be legally restricted from receiving data related to a specific
subsidiary.  Before requesting failure reports, any such data spillage risks
have to be addressed through data management controls or publishing DMARC
records for relevant sub-domains to prevent reporting on data related to
their emails.

Out of band agreements between failure report senders and receivers may be
required to address privacy concerns.

DMARC records for multi-organizational PSDs MUST NOT include the ruf= tag.

Scott K

v2.23.0 | Report a Bug | By Email