Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations

Tue, 21 Jul 2020 12:46:16 -0700 

On 7/21/2020 12:32 PM, Dotzero wrote:




On Tue, Jul 21, 2020 at 2:06 PM Dave Crocker <[email protected] 
<mailto:[email protected]>> wrote:


    On 7/21/2020 10:58 AM, Dotzero wrote:
    For this case, DMARC externalizes that internal personnel problem.

    But it does not fit the definition of "spoofing".


Please note that I did noy use either the word "spoof" or "spoofing".  
You wrote "MLM is authorized by the user". Someone without authority 
cannot authorize. In this case the user externalized the problem, not 
DMARC.


That's simple incorrect.


I give you my credit card, telling you to use it only for gasoline 
purchases while running errands for me.  You take the car on a 
cross-country joyride, running the cc charges for gasoline up.  The 
stations that  charged the gas to the card did nothing wrong.  The 
problem is internal, between you and me.



The MLM's did not do any spoofing.  They acted appropriately, as they 
have for 45 years.



If the domain owner has a problem with the user's behavior, that's 
internal, between the domain owner and the user.



Using language that casts the MLM as doing something wrong is a 
fundamental misrepresentation of the situation.




    > If that is the problem, why did you participate in the original
    DMARC
    > effort? The issue was clear even back then.


    The original DMARC effort was, in fact, to detect actual cases of
    spoofing, namely unauthorized use of a domain name by outside actors.

    Different problem.



Actually, part of the effort was to enable Sending domains to identify 
their own mail that was being sent without aligned DKIM signing or 
from places not authorized through SPF - in other words, not properly 
authorized but legitimate, hence feedback loops.



This was a point of significant confusing during the initial effort.


It is not reasonable to impose a substantial and permanent cost on the 
external internet, for an organization's inability to monitor and 
regulate behavior within the organization.



Whereas it is entirely reasonable to have a standard that facilitates 
detecting externally-generated traffic that has unauthorized use of a 
domain name.


d/


--
Dave Crocker
Brandenburg InternetWorking
bbiw.net


_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc























					Reply via email to