Re: [dmarc-ietf] Change the mailing list protocol, not DMARC.

Sun, 08 Jun 2014 21:07:29 -0700 

On 6/8/2014 10:26 PM, Murray S. Kucherawy wrote:


    To express how strong I feel about this....

    If there is a charter for a new DMARC WG work, you can bet I will
    request that any form of 5322.From-Corruption concept be
    considered OFF TOPIC and OUT OF SCOPE in the new WG charter except
    to be aware of intentional From-Corruption is to be considered a
    new security exploit and threat to be mitigated. And for the
    record, I will also appeal any IETF work that begins to suggest
    From-Corruption concepts as a means to bypass security protocols.
    I will appeal it.

Setting aside for the moment how premature this threat is given that
there's not even a skeleton charter under proposal right now,


Its better to get this bud nipped now.


I
suggest you read Section 6.5 of RFC2026 to figure out what the
official basis would be for such an appeal.


Murray,


Fundamentally, any From-Corruption (good term to use) concept is bad. 
30 years of mail software/product/hosting development across multiple 
networks tells me so, it ethically burns inside me as wrong and I have 
strong confidence the IETF/IESG wise ones will agree. I hope you agree 
too.



You will need to add security information to your DMARC document as 
this From-Corruption concept would be a security exploit that can 
potentially get by RFC5322 validation checks that can hurt DMARC 
publishers and create bad PR for the DMARC protocol itself.  DMARC 
receivers will need to be warned.



You will need to provide guidelines for mitigating it, not for 
allowing it unless there is an explicit policy defining language 
authorizing it, and even then, that can be cracking open a loophole.



You may want to make it a boundary layer check thing. The exploit will 
need to be described just like it was done for DKIM's Double From 
situation with RFC5322 validation checks done at receivers.



Consider it a "to-do" note for when the anticipated official DMARC WG 
begins.


Thanks

--
Hector Santos, CTO
http://www.santronics.com


_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc






















					Reply via email to