[dmarc-ietf] reporting security requirements

Michael Thomas <mike@mtcc.com> Mon, 25 January 2021 20:41 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF7803A18B1 for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 12:41:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXxSvzdGRZjl for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 12:41:38 -0800 (PST)
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB6123A18A7 for <dmarc@ietf.org>; Mon, 25 Jan 2021 12:41:38 -0800 (PST)
Received: by mail-pj1-x1029.google.com with SMTP id g15so370320pjd.2 for <dmarc@ietf.org>; Mon, 25 Jan 2021 12:41:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=BmxhTgnWLsZulRCZ89d0MFUr0Omq3jOCRLmiPbAJSSQ=; b=TK4IsoSsJgWiQSHUj9Jvn0W0iysEMMVQkbK8x6m3a0+46vFpK8FrVc+f/SFJrkbo+d Cmpeo9dEj2d7NSve8zq6j63mtqGl33ntgXEqIBmZz4l1GnJUqjXjNyJdgrUtWevVfZrA XV8aGjDD0OQvfOwO+2mv/pG/9NiIv5JdueO4czkf/6Dq8z9uDXqxdcwuY2SV4esqXhiX g0RiLOafURHcV7MZU7aJAopRGWeh6hXdXNLqZWo5M94GaaXWpTQKVEJuFPJo9yRwJpzr HGcmei7fVG8hJziJfQaVj386ls7pbMWRymVksGMscdYW9VW4AWaTQLNilk0r6rp/K2vN 0rzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=BmxhTgnWLsZulRCZ89d0MFUr0Omq3jOCRLmiPbAJSSQ=; b=TGpSTaPzIXf3/dRt7FjiV4Zx6lzRUhQ3odcRq+G+xfTNhdEFDXddtKNDeFtdy6USHR 9a7eW7EIhejWMBarG3E38Se414bNfi7qDOpDmckXmSGNrSLLt6Y5IB7a7LAebSDblVKO nR4x8qLJHA9hx4BIMQz40iBsNiDyKbYvvxIXfpnAD8DF1fdDhBm/msRxO3WNOmruC57z SprWIELoFfOV8hla/OIysR1k30sqoRNZ0c0p83sOHUr7kNS6ARDXXb8eFgv4D/K8+CNZ sQv1ZFyFT9TfgLNBd+qQq+DIY+8ml6lfHhgW1Uzcp/fKl6ODUoy96rYHJYAledf800b3 Wf9w==
X-Gm-Message-State: AOAM531+oZS23T2bUM1yajJgALNs8/LomNU90YxDSo9ANrJe0z3+tNXc ZZihdB9CL3JWLQSlyIrss0IAAYCXJzosog==
X-Google-Smtp-Source: ABdhPJxj/AXRTVuRXC9jaEIjLS1b8YbxSDx6S+WfvNnxeSi1StXqFcN9mP+bTL0SCcSrAHhsSY2W5A==
X-Received: by 2002:a17:902:bcc7:b029:de:3c03:f45f with SMTP id o7-20020a170902bcc7b02900de3c03f45fmr2290145pls.32.1611607297845; Mon, 25 Jan 2021 12:41:37 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id s187sm17309016pfb.161.2021.01.25.12.41.36 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 25 Jan 2021 12:41:37 -0800 (PST)
To: Seth Blank <seth@valimail.com>
Cc: "Murray S. Kucherawy" <superuser@gmail.com>, Douglas Foster <dougfoster.emailstandards@gmail.com>, IETF DMARC WG <dmarc@ietf.org>
References: <34317129-8225-fb38-4ad3-e1b9ffed21fb@iecc.com> <9c84fa50-d23c-a794-fc62-09788ac383a9@mtcc.com> <CAHej_8mTaFo7aESFk4pHjbqbheriYPoAy6f+HhcE6ASVJSyViA@mail.gmail.com> <df867378-5da0-b912-2a0f-b2081d1f2437@mtcc.com> <CAHej_8kfCC1H89pRjgxXK=+BizJHFdKgnr7Gxh_2wWq8P7L-0Q@mail.gmail.com> <a94cb6c0-0a32-da8d-4bd5-9c7ab2866c82@mtcc.com> <CAH48ZfxkQ9g-gmBOPdDsxr4RDvXOi56EaX=aJVDbuL_g7kR+xQ@mail.gmail.com> <CAOZAAfOB93fpYRjwxgQNkG-ydVHLtvgUp0LLROvv-F-amJVy4w@mail.gmail.com> <b9e8da8e-f46a-49c0-4196-1d50ed94d526@mtcc.com> <CAOZAAfPh4kYq0yXhtP9BaPmtP_rc7L-0f=r3Ff_P3oxrhYqvtw@mail.gmail.com> <fd74120f-bfad-ef51-64d7-2f8ec4f00fab@mtcc.com> <CAL0qLwaPmMGR48EUhNkmZTozjoiTMnC6Rfmjdo9vLYD6ZhNoAw@mail.gmail.com> <CAOZAAfMcQ3HCrQAgKWeK-n2Acf+COK+E3HuCauh8g44KiWj=ng@mail.gmail.com> <25ea488b-e432-75c4-c57a-01d03308208c@mtcc.com> <CAOZAAfP5n15=Ez6_SFmkyDOyF=mpD8npZJmJujKP1vw322fGLg@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <2f73843f-eaec-5bb7-c59c-08ff387418e3@mtcc.com>
Date: Mon, 25 Jan 2021 12:41:35 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAOZAAfP5n15=Ez6_SFmkyDOyF=mpD8npZJmJujKP1vw322fGLg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Xz2FeBfU8ALzoOVGe01D0yuwbK0>
Subject: [dmarc-ietf] reporting security requirements
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 20:41:40 -0000

On 1/25/21 10:02 AM, Seth Blank wrote:
> Michael, are you aware of anyone not following the guidance in the 
> document? This thread feels like we're discussing a non-issue. 
> Aggregate reports are already required to be authenticated and I'm 
> unaware of anyone sending failure reports, let along unauthenticated 
> ones. Is the language causing problems? Such problems have not been 
> brought to the list, and would be a good place to start if you want to 
> build consensus.

 From the looks of it, it doesn't seem like the security requirements of 
reporting was ever undertaken. There seems to be a wide range of 
disagreement even if there was given the thread from which this came. 
 From there is actually text, to don't know if it's an issue, to there 
hasn't been a problem before (as if that were some sort of barometer), 
to authentication might inconvenience google, to contradicting your 
assertion that authentication in the way you mentioned can be done. 
Since this is going to proposed standard from informational, that is not 
a very good state of affairs, IMO.

Mike