Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-psd-03.txt

Scott Kitterman <sklist@kitterman.com> Wed, 15 May 2019 11:24 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEDE6120091 for <dmarc@ietfa.amsl.com>; Wed, 15 May 2019 04:24:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=7Tf15eGP; dkim=pass (2048-bit key) header.d=kitterman.com header.b=WjaxkDGd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BG6SsIgL8Uvu for <dmarc@ietfa.amsl.com>; Wed, 15 May 2019 04:24:29 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A533120047 for <dmarc@ietf.org>; Wed, 15 May 2019 04:24:29 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id C69D4F80041 for <dmarc@ietf.org>; Wed, 15 May 2019 07:23:00 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1557919380; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=Sl9Wxi0KFqgGNELUysaiEhq2E7UZRe29qeWgX/1nFW0=; b=7Tf15eGP4C/0hz4VR99llRYU6/TN7Ls2B06Y7Ssy84QTPGBfKBXVdB/O 0KCHbygQVhvM0vxIsFEl42DJD9uHDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1557919380; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=Sl9Wxi0KFqgGNELUysaiEhq2E7UZRe29qeWgX/1nFW0=; b=WjaxkDGd48WpkhmeZvt8F44TC8u1ZDyE9ShUrKVmtxh+Gg1ixKJPR6mA J19XSCeYgXrfNx7EvsmzxuH9hQBjE4fkK1v1wCIxhois5P6BMNiaKPet/o zwT9aUxlDFBXmuNJjBx+jn/XbhyUn9F74Utxa9/S2tEVzXmxm2kUxjodfS QNapBwFWBqQJ2qT5M1Lkzs+LG5aOq5FrKWnJwfEngyYTG4MH05AQjIgm2f ZmrGpjwZVWDnZcBTliaRxBelBbzwlL6R8o48fKLpqMiikHqjP+Cm6/ej6d 5JWJTzV5y/pvl/QwLw55O2HKhWBwf9+WvoVb6ZxHWISjgJDKMoMFhw==
Received: from l5580.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 93CEFF8003E for <dmarc@ietf.org>; Wed, 15 May 2019 07:23:00 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Wed, 15 May 2019 07:22:59 -0400
Message-ID: <3063446.ceL4kMytFt@l5580>
In-Reply-To: <e94283b9-5706-89be-dc4e-78bdf372510f@tana.it>
References: <155728145158.24534.10112720017814447505@ietfa.amsl.com> <CAD2i3WMKUm51tjXc+cQVqri-wQqJJENd=33Ah45knm0BtODXew@mail.gmail.com> <e94283b9-5706-89be-dc4e-78bdf372510f@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/olwsuT90hoD4Gc2oQtjrBRS6tEo>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-psd-03.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 11:24:32 -0000

On Wednesday, May 15, 2019 6:17:24 AM EDT Alessandro Vesely wrote:
> On Fri 10/May/2019 01:16:58 +0200 Seth Blank wrote:
> > To reiterate:
> > 
> > This normative MUST NOT is a mistake from many different angles, as it:
> > 1) codifies a policy decision that doesn't affect interoperability
> > 2) adds complexity because reporting against the third lookup is now
> > different than reporting for the other lookups
> > 3) doesn't apply for all use cases (specifically, it would prevent .com
> > from gathering RUF data, but also prevents .google from operating in the
> > same manner as google.com <http://google.com>)
> > 4) reverses a key value of DMARC: giving control of policy to domain
> > owners
> > 
> > I strongly agree that RUF is potentially problematic here, and it would be
> > better off if no one got it, but I really believe that's a policy decision
> > for a domain owner / PSO (and a policy decision for who is allowed in a
> > registry of PSOs), not something that should be normative in the spec.
> 
> In part I agree.  However, RUF is potentially problematic in general. 
> Whether and how to honor RUF requests deserves a better discussion in the
> DMARC specification.  I certainly wouldn't send a non-redacted failure
> report to an unknown domain.
> 
> That said, I agree that control of PSDs should be given to PSOs, by the same
> logic of bullet (4) above.
> 
> On Thu 09/May/2019 18:39:13 +0200 Scott Kitterman wrote:
> > I disagree.  That puts the (potential) fox in charge of the hen house.
> 
> It is true that we cannot trust the generic domain owner.  However, PSOs are
> somewhat more constrained by policies and contracts.  In addition, their
> public DNS records are quite easy to check.  Perhaps we could concede a
> little bit of trust to those foxes?
> 
> In addition to Seth's "if you're a PSD, don't ask for RUF", I'd propose that
> multi-organization PSDs (e.g., ".com") that do not mandate DMARC usage
> SHOULD publish a blank DMARC record, that is policy=none, no ruf, no rua. 
> PSOs that violate those recommendations would not do so in a concealed or
> unanticipated way, but as an integral part of their legalities.

There are multiple types of entities running PSDs under multiple sets of 
rules.  I don't think it's nearly that simple.  Transparency only helps 
moderate bad behavior where there are alternatives.

Scott K
> 
> Best
> Ale