On April 25, 2023 5:31:41 PM UTC, Benny Pedersen <[email protected]> wrote:
>John R. Levine skrev den 2023-04-25 18:28:
>>>> Since the only mechanism is mail and nobody's going to S/MIME encrypt
>>>> their reports, I suggest just deleting it.
>>>
>>> TLS vs not TLS.
>>
>> I suppose, but that's not up to the report sender. If I say
>> "rua=mailto:[email protected]";, and the MX for cruddy.org doesn't do
>> STARTTLS, what are you going to do?
>
>STARTTLS is optional, not required, hopefully you did know that
>
>is like some anti spam sites says you must have a MX to send mail or even
>recieve mail, A/AAAA does not work at all, hmm :)
>
>dmarc should not enforce STARTTLS
RFCs don't enforce anything.
I think use of STARTLS is a reasonable mitigation for surveillance attacks as
described in RFC 7258. It's IETF policy to do so. The should is entirely
appropriate.
If we want to be more explicit, the sentence could continue ... , such as
STARTTLS encryption, or information can be exposed to third parties during
transport... .
I think it's okay as is. I think a change along the lines of what I'm
suggesting is also fine. I don't think removing it is appropriate.
Scott K
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
