IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports

John Levine <johnl@taugh.com> Fri, 18 December 2020 02:39 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E41103A0BD4 for <dmarc@ietfa.amsl.com>; Thu, 17 Dec 2020 18:39:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Level:
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=Jnnmp3Y0; dkim=pass (2048-bit key) header.d=taugh.com header.b=c4u+FvRV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uy1PKoiw1_LU for <dmarc@ietfa.amsl.com>; Thu, 17 Dec 2020 18:39:03 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 447A33A0C4F for <dmarc@ietf.org>; Thu, 17 Dec 2020 18:39:02 -0800 (PST)
Received: (qmail 67090 invoked from network); 18 Dec 2020 02:39:01 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=10610.5fdc1645.k2012; bh=HuI7DihlDF+cEaYXjZpgvUjgBak9OLgJW3k+lcTakzE=; b=Jnnmp3Y02ZI/3AmUy1yGkqtLEW3489WT4wyjDJ99G0dU5o9Qn3j8rsOVkCvW6e6WqQaEzAaPTxWOhNCnO0WwbXG8LihpL85nglhQbpTWPHyVKGw+PFwCFhrzsu9/5goHhBQlIFHdmmImavq74TZPaWMZlK/1jhligkKVNdktH9Y5J74HeUYETYkoOKxNyR3s0wQhEove7YTatQMXXrYUuehuyLCw1uv67RCXkWp4oVEiP97n5yj+PJ38KdqF1ifLrIDi5QSYj7lBto7COl5ajdmv9ZKpjdZU91/WFFjKaZo+ZiGBAkK2Q8PMbgIphb1g4b3hQNEVViOkhLKPGhQNEQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=10610.5fdc1645.k2012; bh=HuI7DihlDF+cEaYXjZpgvUjgBak9OLgJW3k+lcTakzE=; b=c4u+FvRVqAzQvJFaIG2LCTUwl3ElemVjkQFJkp3oszyAK6GGPdawt9EVH4kIICLn/h0+O9NbnlgJgmGfUlGqA+S0eTgpVPBgYNFEu/BCSMfTtImWtfM+FY486k4m4uoSBGyVdNEY0S5mvSv/A/GCksTMalMbbsJdIFL1etwzBbpZo51SIMsr6MkATtWkgWXFamDOWLWOyBRrt3UEds4dM+MGPa5sab5Ex3LFTtr+KsdYs4S0pzqpuRlOJK5aT8uu7bQoL5cwPnLTjurpD/lfp0In1eJHdH+LungM9Zd4EXpgHY1OuPzk3nAB/4dDznA1/2ycRa/2eaqxp1+lIhMOPg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 18 Dec 2020 02:39:01 -0000
Received: by ary.qy (Postfix, from userid 501) id E73B82ACBB2B; Thu, 17 Dec 2020 21:39:00 -0500 (EST)
Date: Thu, 17 Dec 2020 21:39:00 -0500
Message-Id: <20201218023900.E73B82ACBB2B@ary.qy>
From: John Levine <johnl@taugh.com>
To: dmarc@ietf.org
Cc: vesely@tana.it
In-Reply-To: <cc4e4665-f55b-bec7-760d-ae6ae3d01ee1@tana.it>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ouMXCPRau0leqOfEigr8JoebYRU>
Subject: Re: [dmarc-ietf] Ticket #55 - Clarify legal and privacy implications of failure reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2020 02:39:05 -0000

In article <cc4e4665-f55b-bec7-760d-ae6ae3d01ee1@tana.it> you write:
>We would like to close this ticket two weeks from now, by the end of the year, 
>so please get on it.
>
>The ticket text is just:
>
>     Make it clear in privacy considerations that failure reports can provide
>     PII well beyond a domain name, and are not sent by most receivers.

The current text says that, but it should also point out that
redaction does not always remove PII. Info about sender or recipient
might be encoded in non-obvious places such as the Message-ID or DKIM
selectors.*

Also, whether we use the current Org domain heuristic or a tree walk
to find a higher level DMARC record, there is no way to reliably tell
the relationship between a domain publishing the rua or ruf tag and a
subdomain being reported. Partly this is the Holy Roman Empire
problem, partly the PSL is just incomplete and always will be.

>Any lawyers in this WG?

The IETF most definitely does not provide legal advice.

R's,
John

* - I've been doing that for ages.  Every message gets a unique selector.

v2.23.0 | Report a Bug | By Email