Re: [dmarc-ietf] DMARCbis Privacy Considerations was: Re: I-D Action: draft-ietf-dmarc-dmarcbis-17.txt
Scott Kitterman <sklist@kitterman.com> Tue, 30 August 2022 21:34 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41FB1C1522A7 for <dmarc@ietfa.amsl.com>; Tue, 30 Aug 2022 14:34:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=4XDDwv9L; dkim=pass (2048-bit key) header.d=kitterman.com header.b=HBuD5dwd
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uly5UGtgRsqu for <dmarc@ietfa.amsl.com>; Tue, 30 Aug 2022 14:34:22 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B145C14CF08 for <dmarc@ietf.org>; Tue, 30 Aug 2022 14:34:21 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id D1138F802D1 for <dmarc@ietf.org>; Tue, 30 Aug 2022 17:34:18 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1661895258; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=d+U7huNertrD0sfsM1V/FzLAAyYU2+SsbggPyc1EH0I=; b=4XDDwv9LPaHb4HV5LfJIRe592eun/UKMqx56MM0mhfMeKf5L/uj7kOvxF6vb4Hdv9v9BZ UO9BRdWRy/wFhdvBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1661895258; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=d+U7huNertrD0sfsM1V/FzLAAyYU2+SsbggPyc1EH0I=; b=HBuD5dwd5nM+AdtEI8zW0G0Va6gVbi3EcbG4ItdvT1f36V/dir1zjRz+gthdyFWUmphNt xKpyx6EVjHx3jpAqfF6WXnWkx3nZksoVqxSDxIZV3VD4SqmolAZXwB0N3UIiL1zE4U7bqD+ uwKtVosingdsYJ7sxxZwxCW7Z2rma8BNUSBM+jen+485Imo8XbIdlsbM7n5ndMxZxSaJJvf U8eY5XtdFLeXFCipQ2PhHJUbbzTogb/pjYv+kT8Z4VGzRaJVp5LdPqt9jiSIgahBqtZ120y /y1o6XLEhogI/TIgA6cNfN/YXWISOT45nAzsawr9LQbLYHXeut7N3VvwCUHg==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id B6E0EF80153 for <dmarc@ietf.org>; Tue, 30 Aug 2022 17:34:18 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Tue, 30 Aug 2022 17:34:18 -0400
Message-ID: <4933355.f5WRtcxpSY@zini-1880>
In-Reply-To: <2969398.fzCzL4EFEC@zini-1880>
References: <166178507559.47631.2900016221052924761@ietfa.amsl.com> <4015891.JFzxAWuYz4@zini-1880> <2969398.fzCzL4EFEC@zini-1880>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OCy7mO9jDVYakvHOs6ro_p3-9MA>
Subject: Re: [dmarc-ietf] DMARCbis Privacy Considerations was: Re: I-D Action: draft-ietf-dmarc-dmarcbis-17.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Aug 2022 21:34:26 -0000
On Monday, August 29, 2022 12:27:11 PM EDT Scott Kitterman wrote: > On Monday, August 29, 2022 11:09:50 AM EDT Scott Kitterman wrote: > > On Monday, August 29, 2022 10:59:55 AM EDT Todd Herr wrote: > > > Version created from the pull request John mentioned on-list on August > > > 28. > > > > Thanks. > > ... > > > Also, I am reminded that since this document will obsolete RFC 9091 if > > approved, we need to incorporate the Privacy Considerations from that > > document instead of referencing them. I'll prepare a recommend change for > > that. > > I looked into this a bit and it turns out to be more complicated than I > expected. > > Currently DMARCbis has no Privacy Considerations section at all. Generally, > I think this is correct since the DMARC relevant privacy issues are tied to > reporting, which is in separate drafts. I do think though that since we > are covering all aspects of DMARC record publishing in DMARCbis, there are > a few specifics that should go in the main draft with pointers to the > reporting drafts for relevant details. > > RFC 9091 Privacy Considerations (which are currently incorporated by > reference in DMARCbis) say that for PSDs, feedback MUST be limited to > Aggregate Reports. > > I think it would be appropriate that DMARCbis have a short Privacy > Considerations section which points out that putting an rua or ruf tag in > your DMARC record may have privacy implications for organizations with > pointers to the reporting drafts for details. I would include something > like if psd=y, MUST NOT also have an ruf= value in DMARCbis. > > The bulk of the RFC 9091 Privacy Considerations text would then go in I- > D.ietf-dmarc-aggregate-reporting. All that would be needed in > I-D.ietf-dmarc- aggregate-reporting Privacy Considerations is a relatively > simple admonition to not send failure reports for PSDs. > > If that seems reasonable to people, I'll prepare specifics for review. No one complained, so off I went. I've prepared an update in git (that I will shortly submit as a PR). The bulk of it is to add a new Privacy Considerations section. That's provided below. The full diff is at: https://github.com/kitterma/draft-ietf-dmarc-dmarcbis/commit/ e27a0aa41f4d33c52c1c03710eda3c7bbc592002?diff=split I'd like to propose that unless the group turns out to think this is completely horrible, we go ahead and accept it as a basis for further work, since something is generally easier to edit than nothing. Additional changes will be needed for the reporting drafts. I'll work on those once this is settled a bit. # Privacy Considerations {#privacy-considerations} This section discusses issues specific to private data that may be included if DMARC reports are requested. Issues associated with sending aggregate reports and failure reports are addressed in [@!I-D.ietf-dmarc-aggregate-reporting] and [@!I-D.ietf-dmarc-failure-reporting] respectively. ## Aggregate Report Considerations {#aggregate-report-considerations} Aggregate reports may, particularly for small organizations, provide some limited insight into email sending patterns. As an example, in a small organization, an aggregate report from a particular domain may be sufficient to make the report receiver aware of sensitive personal or business information. If setting an rua= tag in a DMARC record, the reporting address needs controls appropriate to the organizational requirements to mitigate any risk associated with receiving and handling reports. In the case of rua= requests for multi-organizational PSDs, additional information leakage considerations exist. Multi-organizational PSDs that do not mandate DMARC use by registants risk exposure of private data of registrant domains if they include the rua= tag in their DMARC record. ## Failure Report Considerations {#failure-report-considerations} Failure reports do provide insight into email sending patterns, including specific users. If requesting failure reports, data management controls are needed to support appropriate management of this information. The additional detail available through failure reports (relative to aggregate reports) can drive a need for additional controls. As an example, a company may be legally restricted from receiving data related to a specific subsidiary. Before requesting failure reports, any such data spillage risks have to be addressed through data management controls or publishing DMARC records for relevant sub-domains to prevent reporting on data related to their emails. Out of band agreements between failure report senders and receivers may be required to address privacy concerns. DMARC records for multi-organizational PSDs MUST NOT include the ruf= tag. Scott K
- [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbi… internet-drafts
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- [dmarc-ietf] DMARCbis Privacy Considerations was:… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… John Levine
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… John R. Levine
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… John R. Levine
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … John Levine
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … Barry Leiba
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … John R Levine
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … Tim Wicinski
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … John R. Levine
- Re: [dmarc-ietf] DMARCbis Privacy Considerations … Douglas Foster