On December 14, 2018 4:34:35 AM UTC, Dave Crocker <[email protected]> wrote:
>On 12/13/2018 4:25 PM, Scott Kitterman wrote:
>> It suffers from what is, in my opinion, a fatal flaw: it relies
>entirely on
>> assertions that any PSO can publish with no external review. Without
>some
>> kind of third-party check on this, I don't believe there's any
>privacy
>> mitigation at all.
>
>
>I think that assessment is misses an essential point.
>
>Let me back up and say that my suggested alternative is intended to
>take
>the basic concern you are raising seriously. (I'm not stating a
>personal opinion about the seriousness of this as a threat vector, but
>merely looking for a simpler way to satisfy the concern.)
>
>The alternative requires that the registry's dmarc record be
>accompanied
>by a record that points to the terms and conditions the registry
>publishes to indicate why their record is acceptable. (Your draft's
>specification of those conditions looked to me like a reasonable
>starting point; there should be a separate wg discussion for the
>precise
>details and wording; I don't have a personal opinion about those
>words.)
>
>As for the benefits I see in the alternative I've proposed, I'll class
>them as simplification and robustness.
>
>First, a new, query-able registry is expensive to run; and difficult to
>
>ensure quality control for, over the long run.
>
>Second, the vetting method your draft proposes for the registry relies
>on a technical expert to make what is frankly a legal assessment of the
>
>terms and conditions that the registry publishes. And that assessment
>is made only one time, when the registry entry is first created. The
>registry might change its T&C text and we'd be unaware of it.
>
>So while you are technically correct that the alternative means that
>the
>registry gets to /publish/ with no external review, it is not true that
>their dmarc record will automatically be used without review.
>
>In fact what I'm proposing will make widespread and ongoing review
>likely, IMO, probably in the spirit of ongoing reputation assessment
>that the email industry already does, although for dmarc default record
>rather than spam.
I see your point. In addition to complexity, tohe issue that there is no
mechanism for removing bad actors from the registry does present a problem.
Let me think it over and see if I can come up with text that both addresses
your concerns and also provides guidance that I'd be comfortable with in lieu
of the registry.
Scott K
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
