[dmarc-ietf] Feedback on draft-ietf-dmarc-psd-02

Kurt Andersen <kurta@drkurt.com> Thu, 11 April 2019 22:34 UTC

Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id CDC49120405 for <dmarc@ietfa.amsl.com>; Thu, 11 Apr 2019 15:34:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id bW335iYnQTBy for <dmarc@ietfa.amsl.com>; Thu, 11 Apr 2019 15:34:03 -0700 (PDT)
Received: from mail-it1-x12b.google.com (mail-it1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF4651203EB for <dmarc@ietf.org>; Thu, 11 Apr 2019 15:34:02 -0700 (PDT)
Received: by mail-it1-x12b.google.com with SMTP id y10so12362961itc.1 for <dmarc@ietf.org>; Thu, 11 Apr 2019 15:34:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:from:date:message-id:subject:to; bh=UtysxvEwtwLuLdlDizlQ0JuLUvsBz0YmFUmJbM8ldsA=; b=XFQTdZjVYV95AzTfx7LlpRTI+i7LWjtZ8nMqo6ldZF+znkEEKH16cIlFnP3QY9Pfm/ HEJ6QixvLpL4u34dFpHiqZi+VdsVlb5qykEydp3z5O5Ern5dda078/NKQ8Q34g0RMKxL 4ukjp+eRqB/5RsNQDozI3r5t6taHXZpd1fy+4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=UtysxvEwtwLuLdlDizlQ0JuLUvsBz0YmFUmJbM8ldsA=; b=GSQFNyXl6GsLzUSDyyd9byxDi0hON/ynkOuhFIOpk++dd20xti4H1tBveLOdlhZIlL a0b1I14o75RXXFbHT5I2vaTx6lYL/Ictl12xaLjZEbI2CbJyxLpR0p1G1e1f1NJ4W0Xw 59A2W1Ktsz97U5vD1MCgzlGQC+opsU+9wRyiLEP3y698ErP74nS/4V6xtLdGfv3sKdv1 E/Mcpt/5XQ3qJ8UCNT7O40w/h0tZKX46TBIvtKOipJU43syRlgx3EHZANrIUTehwF5Jn yot8gvl9gRVvZJoMFr+suPeEB0I/991l7uk12mL960/rIoCT/squxmvAR/3VTqm0jf2z 7iKw==
X-Gm-Message-State: APjAAAW5jjNmCVR83AAEwyOIIBxQNv1yiTPS9x5ogPMPHs03eENYeJ/r xYrAOvK7jXc6GkgCL8t90SiYTDsEQabr6gUK24J1VK1K/3v/Og==
X-Google-Smtp-Source: APXvYqwhcSROZ8UcsyAHZaNyLQBs0XipxnYBDYZpXbaYoQeJwCvQkKDuimbIy7V/ffUAWXvtqta/rClWlXGEyIb7Jbc=
X-Received: by 2002:a24:2244:: with SMTP id o65mr10198743ito.126.1555022041581; Thu, 11 Apr 2019 15:34:01 -0700 (PDT)
MIME-Version: 1.0
From: Kurt Andersen <kurta@drkurt.com>
Date: Thu, 11 Apr 2019 15:33:34 -0700
Message-ID: <CABuGu1oE+W7_==GxG0Qmo9WxcPWm5in50EZwU+kSEJ4a0=QZzA@mail.gmail.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000068239e058648c84a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OhgfUVqBga0tOIwcwpM-TPIhfus>
Subject: [dmarc-ietf] Feedback on draft-ietf-dmarc-psd-02
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2019 22:34:05 -0000

Firstly, just a nit, but section 4.1 introduces a new abbreviation in the
last bullet point: "PSDo". I suspect that this should be PSO for

More substantively, in Appendix A, the case is being advanced for "concerns
associated with Multi-organization PSDs that do not mandate DMARC usage".
I'm not sure why "multi-organization" is an appropriate qualifier, nor as
to what mandated DMARC usage has to do with any of the privacy concerns.
Neglected DMARC usage is what leads to the spillage up to the PSD level.
Even within a single organization there may be serious privacy walls which
need to be respected between different sub-portions of the org - which may
or may not be represented in a DNS hierarchy.

I've read through the breakdown in section 4.1, but I think that it is
incomplete - largely on the terms mentioned above. Also, the claim that
reports on cousin domains would be sent to the [right] PSO ignores the risk
of the PSD itself being the cousin attack point. After all if a domain
doesn't exist, one may as well start from the top :-)

I think it would be more effective to add an anti-RUF requirement to the
implementation of this spec - such that no RUF reports would be sent,
regardless of the record which is published by the PSD. Since very few
providers even support RUF at all, this does not seem to be a big ask,
although it does require some additional logic. The privacy risk is
primarily related to RUF, not RUA reports so blocking RUF could (IMO)
effectively mitigate the perceived risk of the PSD records while still
allowing the DMARC validation protection.