On 2/1/21 6:24 PM, Dave Crocker wrote:
On 2/1/2021 6:13 PM, Michael Thomas wrote:
Because we all know how well unauthenticated data worked out for
email. I fail to see why anybody would be in favor of digesting
unauthenticated data when the method of authenticating it is trivial
and well known. It's an extraordinary claim that needs to be backed
up. But you don't need to convince me; you need to convince the
security AD's and cross area reviewers.
DMARC has been deployed for 6 or 7 years. Where is this onerous abuse
on reporting that you feel is inevitable?
Email was around for 20 years until spam became a problem. We know how
this plays out: bad guys do the least amount of work possible until they
have to react. When it becomes a barrier as p=reject does, they take
action to protect their turf. Plugging an obvious security hole with a
well known and trivial set of authentication mechanisms to prevent
forgery should be the default posture. Anybody who is against that needs
to explain in depth why it should not be the case. Especially since it's
part of DMARC now.
Mike, security related specs thumbing their nose at security is a very
peculiar stance.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc