On December 6, 2018 6:45:10 PM UTC, Alessandro Vesely <[email protected]> wrote:
>On Thu 06/Dec/2018 18:48:00 +0100 Scott Kitterman wrote:
>> On December 6, 2018 5:39:56 PM UTC, Alessandro Vesely
><[email protected]> wrote:
>>> On Sat 01/Dec/2018 02:27:54 +0100 Scott Kitterman wrote:
>>>>
>>>> Perhaps we need to step back and see if there is consensus that the
>privacy
>>>> considerations in the draft are substantially correct and if risk
>mitigation
>>>> is needed as described.
>>>
>>>
>>> How about expanding on this:
>>>
>>> On Sat 01/Dec/2018 00:37:24 +0100 Scott Kitterman wrote:
>>>>
>>>> I don't think wide open TLDs like .com ought to be stimulating
>feedback on
>>>> any lower level elements of the DNS tree.
>>>
>>> IMHO, statistics derived thereof would be an interesting read.
>>
>> I'm not sure I understand? How much would be okay?
>
>
>Eh? How much of what?
>
>
>I meant, let's consider average.com which doesn't have a DMARC record.
>I
>receive a message from [email protected], so I lookup _dmarc.average.com
>and get
>NXDOMAIN, then let's say I lookup _dmarc.com and find a record there.
>In the
>end of day I'll mail an aggregate record saying I received 1 message
>from
>192.0.2.1 using From: domain average.com, valid spf average.com, no
>dkim.
>
>That way, Verisign will get to know how many messages, from which
>mailouts,
>featuring what auth methods average.com send each day. Ditto for any
>other
>domains which don't bother publishing their own DMARC records.
>
>For ESPs, those numbers reveal something about their business volumes.
>Ditto
>for e-commerce businesses or similar, which send e-mail transactions.
>How much
>of a risk is that, compared to, say, their ISPs' data, or their
>accountants'?
>
>
>On Sat 05/May/2018 15:55:37 +0200 John Levine via dmarc-discuss wrote:
>> My feedback goes into a database where I do occasional summary
>> queries. I don't recall any particular problems doing the analysis
>> and it is kind of fun to extract numbers like how many NANOG
>> subscribers get their mail at Gmail.
>
>
>By the time From:-rewriting takes hold, even such amusing diversions
>won't be
>possible. I think John was among the first to store reports in a DB.
>The
>above quote is about the only finding I happened to hear from him on
>this subject.
>
>
>I may be dumb, but I have difficulty in getting useful data from
>aggregate
>records. And still don't see the risk.
Okay.
RFC 7489 already says there is some privacy sensitivity to the reports. I
didn't think we needed to re-debate that.
See section 9 and 12.5. Without some kind of applicability constraint, we
would essentially be creating the situation that 12.5 warns about.
Instead of rehaving an argument about DMARC, would you be willing to accept
that they knew what they were doing when they wrote those parts of 7489, even
if you don't quite see it?
Scott K
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
