Re: [Uta] reporting, was CBOR, XML, JSON (was Re: Updated SMTP STS Draft)

[Viktor Dukhovni <ietf-dane@dukhovni.org>]

On Sat, May 07, 2016 at 01:08:44AM -0000, John Levine wrote:

> > It is the long tail of much smaller domains where SMTP transport security needs
> > an effective alerting channel.
> 
> So they can point the reports at some place like dmarcian.com, which
> does the analysis for small mail systems for free.  Once again, this
> is not a new problem, and practical solutions are well known to people
> who take a few seconds to look for them.

Most of the small domain operators will not do that.  And this leaks
sensitive data.

If you can't send DMARC reports to some domain, no big deal nobody
cares.  There's little operational impact.  If their certs expire,
and they don't notice, everybody who's trying to send them email
(and their postmaster staff getting support calls) feels the pain.

I am not buying the outsourced processing model as sufficiently
broadly applicable.  Why are you so opposed to recognizing that
perhaps we have two different use-cases to address, and might well
address both?  I am not denying your use case, just saying it is
less urgent based on operational experience of resolving TLS issues
in forward delivery.

As for the authors of the draft, they should not be focused on
*just* the large provider problem if this is to be broadly applicable
technology.  If their part of the elephant requires aggregate report
flows, so be it.  Not everyone will send them such reports, they
require a bunch of heavy-lifting.  A simple in-band status indication
stands a better chance of being enabled by default.

[ I am really hoping to not hear a counter-argument, I don't think
  I am saying anything radically controversial, but I keep being
  surprised ... ]

-- 
	Viktor.