On March 29, 2023 1:00:29 AM UTC, "Murray S. Kucherawy" <[email protected]> wrote: >On Wed, Mar 29, 2023 at 5:30 AM Trent Adams <tadams= >[email protected]> wrote: > >> Regardless of the outcome of that analysis, though, it does seem >> reasonable to ask the reporter to include a tag indicating the method they >> employed to discover the policy. They will know which method they use, >> it's reasonable to request they include it, and it'll significantly improve >> the utility of the reports. Further... while trouble-shooting >> authentication problems, it's useful to compare reports from multiple >> sources, and when doing so it'll be necessary to distinguish between >> discovery methods. >> >> >> >> In short, I am strongly in favor of including a tag within the RUA that >> indicates which discovery mechanism was employed. For all the reasons >> previously discussed, it may not be wise to key off of a version, but we >> could use some indicator of discovery. >> > >I'm still noodling on this, but my current view is that this seems like a >reasonable thing to allow for in the specification and it might be >something we even want to encourage, though we ought not make it >mandatory. If it turns out that implementation X doing a tree walk has a >vulnerability, or that the tree walk itself is vulnerable somehow, I might >not want to announce that I'm subject to attack. > >-MSK, participating
As long as it's optional, I can live with it. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
