On Friday, July 12, 2019 6:35:31 PM EDT Kurt Andersen (b) wrote: > Please note that I did not review Tim's comments in detail so some of the > following points may have been covered by him previously.
Thanks. I'd forgotten about that set of comments. I think they mostly relate to the understandability of the front matter, so I'll discuss that further in that thread. > *Page 2 contains the following paragraph:* > > This memo provides a simple extension to DMARC [RFC7489 > <https://tools.ietf.org/html/rfc7489>] to allow > operators of Public Suffix Domains (PSDs) to express policy for > groups of subdomains, extends the DMARC [RFC7489 > <https://tools.ietf.org/html/rfc7489>] policy query > functionality to detect and process such a policy, describes receiver > feedback for such policies, and provides controls to mitigate > potential privacy considerations associated with this extension. > > This extension does not really allow PSDs to express policy for > "groups of subdomains" unless you take the perspective that "all or > none" are groups. Perhaps altering the language to say "...to express > policy that would apply to subdomains..."? I think Tim's suggestions address this concern. > *The very end of section 1 says:* > > DMARC [RFC7489 <https://tools.ietf.org/html/rfc7489>], by design, > does not support usage by PSOs. For PSDs > that require use of DMARC [RFC7489 > <https://tools.ietf.org/html/rfc7489>], an extension of DMARC > reporting > and enforcement capability is needed for PSO to effectively manage > and monitor implementation of PSD requirements. > > I still fail to see how this proposal is necessary (or, potentially > even useful) for the PSO to perform enforcement of their policies. I'd > recommend either deleting the entire paragraph or refocusing the > second sentence around the brand protective role that this proposal > brings for abuse of non-existent subdomains below the PSD. I think it can be deleted. > *Section 2.2* "PSD DMARC includes all public domains..." --> suggest > "PSD DMARC applies to all public domains..." Seems fine. > *Section 2.6* "...that a receiver is willing to accept" seems like it > opens up a wide area if one applies considerations like > DNSSEC/DANE/MTA-STS/etc. There is a separate conversation on this > topic so I'll defer to that thread. > > *Section 3* should include the new "np" keyword as an update to the DMARC > spec. > > *Section 3.5* This call-out makes it seem like information about > non-existent domains is not desirable and useful for org-level DMARC. > Can we modify the language to remove that implication? Perhaps "...is > desirable and useful, just as it is for org-level DMARC operators." There was a desire to say something specific about wanting data on non-existent domains. I agree with your point. What would you suggest saying to make the point that it's definitely desirable at the PSD level without implying it's not otherwise? > *Section 4* Neglects the privacy implications of broken "receiver is > willing to accept" conditions that may lead to additional leakage. > Also in the third bullet point, "it's feedback" should not have an > apostrophe. Typo is fixed in git. Isn't it always true that if local policy prohibits accepting certain DNS data, things will work out differently? Does this need to be called out? Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
