On 2/1/21 6:05 PM, Dave Crocker wrote:
On 2/1/2021 5:58 PM, Michael Thomas wrote:
This, on the other hand, should be measurable. Saying that we should
ignore authentication requirements should require extraordinary proof
that it is needed for practical as well as security reasons. The
burden of proof is on the nay-sayers, especially since it is so
trivial to implement these days.
Or perhaps:
1. Barrier to adoption, for something that supposedly needs a lot
more adoption
2. Doesn't seem to make much difference.
I'd class those as suggesting rather strongly that the burden is on
those that want to impose the barrier, rather than those who don't.
The problem with arbitrarily claiming a requirement, without justify
it carefully and in a balanced matter is that it is, well, arbitrary.
Because we all know how well unauthenticated data worked out for email.
I fail to see why anybody would be in favor of digesting unauthenticated
data when the method of authenticating it is trivial and well known.
It's an extraordinary claim that needs to be backed up. But you don't
need to convince me; you need to convince the security AD's and cross
area reviewers.
Mike
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
