Re: [dmarc-ietf] PSD simplification

Thu, 13 Dec 2018 20:35:00 -0800 

On 12/13/2018 4:25 PM, Scott Kitterman wrote:

It suffers from what is, in my opinion, a fatal flaw: it relies entirely on
assertions that any PSO can publish with no external review.  Without some
kind of third-party check on this, I don't believe there's any privacy
mitigation at all.



I think that assessment is misses an essential point.


Let me back up and say that my suggested alternative is intended to take 
the basic concern you are raising seriously.  (I'm not stating a 
personal opinion about the seriousness of this as a threat vector, but 
merely looking for a simpler way to satisfy the concern.)



The alternative requires that the registry's dmarc record be accompanied 
by a record that points to the terms and conditions the registry 
publishes to indicate why their record is acceptable.  (Your draft's 
specification of those conditions looked to me like a reasonable 
starting point; there should be a separate wg discussion for the precise 
details and wording; I don't have a personal opinion about those words.)



As for the benefits I see in the alternative I've proposed, I'll class 
them as simplification and robustness.



First, a new, query-able registry is expensive to run; and difficult to 
ensure quality control for, over the long run.



Second, the vetting method your draft proposes for the registry relies 
on a technical expert to make what is frankly a legal assessment of the 
terms and conditions that the registry publishes.  And that assessment 
is made only one time, when the registry entry is first created.  The 
registry might change its T&C text and we'd be unaware of it.



So while you are technically correct that the alternative means that the 
registry gets to /publish/ with no external review, it is not true that 
their dmarc record will automatically be used without review.



In fact what I'm proposing will make widespread and ongoing review 
likely, IMO, probably in the spirit of ongoing reputation assessment 
that the email industry already does, although for dmarc default record 
rather than spam.


d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc























					Reply via email to