On Wednesday, December 12, 2018 05:46:08 PM Dave Crocker wrote: > On 12/12/2018 5:27 PM, Scott Kitterman wrote: > >> And the draft makes no reference to privacy issues. Or rather, the > >> Privacy Considerations section says the draft doesn't introduce any. > > > > As written, it doesn't. If you change it the way you propose, it will. > > Please elucidate. I don't have a guess as to what those issues are.
RFC 7489, Section 9.1 describes the data exposure considerations associated with DMARC. If we extend DMARC with PSD and no limitations on PSO participation, then those considerations will apply to every domain that does not participate in DMARC (because the PSO can now get the data - publishing a DMARC record will prevent that, but let's not make DMARC participating more coercive than it already is). I think it would be interesting to get more details from John Levine on his experience with this as he has (in a later message in the thread) mentioned he's getting this kind of data now for odd architectural reasons. Back to this draft, without the registry or some equivalent mechanism, we'd have to look at the part of Section 4.1 on Multi-organization PSDs and give a detailed explanation of the privacy risks to non-DMARC participants. It's not relevant as the draft is currently scoped because as currently defined it's only for PSDs where every domain is required to participate in DMARC, so no issue. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
