On Sun 24/Jan/2021 18:05:03 +0100 John Levine wrote:
In article <[email protected]> you write:
I'm going to post version -01 of failure reporting before 22 February. Please
express consensus or ask for changes.
MD version:
https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-failure-reporting/blob/main/draft-ietf-dmarc-failure-reporting.md
My main concern continues to me that we should not have made this a
separate draft, but we should put all of the reporting in one document.
That cannot be expressed in the draft itself...
In sec 3 it says the reports SHOULD include all URIs. That is a privacy
problem since it is common
for unsubscribe URIs to contain the recipient address in plain text or an
easily reversed encoding
such as base32.
Would something generic as the following do?
These reports SHOULD include any URI(s) from the message that failed
authentication, unless privacy reasons suggest otherwise. [...]
The privacy considerations miss the fact that organization domains are
only an approximation to actual domain ownership, and reports may be
sent to someone unrelated to the actual sender. This is not
hypothetical; I get reports for subdomains who are not me all the time.
Shall I add that verbatim as a second paragraph in Security Considerations?
In addition, note that Organizational Domains are only an approximation
to actual domain ownership Therefore, reports may be sent to someone
unrelated to the actual sender.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
