IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports

John R Levine <johnl@taugh.com> Fri, 18 December 2020 20:05 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5866C3A0762 for <dmarc@ietfa.amsl.com>; Fri, 18 Dec 2020 12:05:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=V0oBgJCR; dkim=pass (2048-bit key) header.d=taugh.com header.b=brEZqhz6
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iH0Y15rQieCQ for <dmarc@ietfa.amsl.com>; Fri, 18 Dec 2020 12:05:46 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306A63A074E for <dmarc@ietf.org>; Fri, 18 Dec 2020 12:05:45 -0800 (PST)
Received: (qmail 5763 invoked from network); 18 Dec 2020 20:05:43 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=167b.5fdd0b97.k2012; i=johnl-iecc.com@submit.iecc.com; bh=4RU218DIC8oS+2wBSjSxWWp2Qti1b7mMm6l+CIhP9p0=; b=V0oBgJCR6zJ3vV+1oTGQJaqRVh3vy5DYw0wAX2q0Z4KU0Q/lAhwMPWzv//HyS7T2/J9aNQaOCeTxVI4V2wsLS0ATMDMUdypDJmtc1nskKb4uNhqTg1dOcg2i81Rtbb6Ccb8aTm/HPLCIh0nHyLzJ/z63q5dC3DPAuoOsqnyYlo/5SSTuJ0iRkpIwxVigpD4tXbxMO+noMZOKbRQ+r+9DZgZ8ITtN6voVcBILOfaaAwykj+B81rAQjasPBX9Nwu96PZ65EViw92hicpmxULIzzBCCq2YjWyAikgm4+VicnL2YFXLX3cB5t7NrIiqT9U8YRF8gHu4V6kFZTDpyi+6Teg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=167b.5fdd0b97.k2012; olt=johnl-iecc.com@submit.iecc.com; bh=4RU218DIC8oS+2wBSjSxWWp2Qti1b7mMm6l+CIhP9p0=; b=brEZqhz6deAagQlqxnde0c2GAmYplT6SdJgMZwwNX9uG3x0IYLAf+YmmuLcggLJPUlL7QjebQ6epO6+LSOOOYlJe6D0KETpsx3mtFz7wYaCVdk80OgVpHHgrx58nLo1CgoCUjTtt1oGmCtsb5dky/rNq5vblBuGGnreDB8eY2yfFqLjrb6KL8EWq0Ue6QMRLvfBNLnfsGdnVS3Z1bl5y5yYycVuOezojHeIEwizOm2o53EZmJEkNLne3kePoZoxZKDLimgGnEbTX4lamsvt4Tj/anf509VAJlhTRJCg/sUiBZrNu2B8fdML7mKUNeqS/rFw7TNqmcxmDBGPvllCe2A==
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 18 Dec 2020 20:05:43 -0000
Date: Fri, 18 Dec 2020 15:05:43 -0500
Message-ID: <39125012-e356-d62d-36fd-a7ff25a9f59f@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Alessandro Vesely <vesely@tana.it>, dmarc@ietf.org
In-Reply-To: <4a43ffaa-3987-c892-cce7-56f18888cdf5@tana.it>
References: <20201218023900.E73B82ACBB2B@ary.qy> <4a43ffaa-3987-c892-cce7-56f18888cdf5@tana.it>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/aYRI7b96BMTou76ckbxoYL76YrI>
Subject: Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 20:05:49 -0000

> Info which is encoded in such a way that only the sender can understand rises 
> no PII concern, IMHO.  A sender could cache sent messages and devise how to 
> encode the corresponding filenames in DKIM selectors.  Reporting just the 
> failed signature would leak the whole message by reference.  So what?

Now he knows which forwarded recipients are talking with his users.

>> Also, whether we use the current Org domain heuristic or a tree walk
>> to find a higher level DMARC record, there is no way to reliably tell
>> the relationship between a domain publishing the rua or ruf tag and a
>> subdomain being reported. Partly this is the Holy Roman Empire
>> problem, partly the PSL is just incomplete and always will be.
>
> Right.  A user can use a submission server which is trusted not to relay 
> messages to third parties.  Yet, ruf= can point to a completely different 
> environment.

No, that's not what I was talking about.  I am the registry for 
someplace.ny.us, and the county government is co.someplace.ny.us.  I get 
all of the DMARC reports for the county's mail.  Oops.  I'm not being 
hypothetical here.

> To avoid that risk, one can send just the header, and redact it 
> appropriately. Should the spec give practical advice about how to do that?

Since it doesn't solve the problem, no.

>>> Any lawyers in this WG?
>> 
>> The IETF most definitely does not provide legal advice.
>
> That sounds more like a bug than a feature.  We should at least check that 
> any advice given is legally sound.

There are 195 countries in the world, and many like the US have states or 
provinces with different legal systems.  Legally sound where?

R's,
John

v2.23.0 | Report a Bug | By Email