On Thu, Jun 1, 2023 at 4:03 AM Douglas Foster < [email protected]> wrote:
> I cannot support the current draft because it creates new problems without > sufficiently solving the old ones. > > The PSL is subject to two types of errors: > - Landing too high, causing False Pass on non-affiliated domains > - Landing too low, causing False Fail or False NoPolicy on domains that > are actually affiliated. > False Pass presents the greater threat. While it could occur on any type > of non-strict alignment, the primary concern is False Pass on sibling > alignment. > [...] > Can you please define, or give an example of, "sibling alignment"? My understanding of "sibling" in a tree structure is two or more nodes at the same level with a common parent. In that sense, twitter.com and facebook.com are siblings. In the DMARC environment, how could one align with the other? Or is your claim that they could align if, say, ".com" chose to assert policy about them and they omit to assert their own? The bottom-up-first-stop tree walk attempts to solve the problem of False > Pass by using an algorithm that will often land too low, causing False Fail. > Can you give an example of this? > Nonetheless, it fails to solve the whole problem because evaluators are > still at risk from private registries that publish a DMARC policy with > strict alignment but without a PSD tag. The proposed tree walk has other > problems, because it changes an organization's relaxed alignment boundary > every time that a policy is added or removed. > And this? > As long as the parent-child and child-parent forms of relaxed alignment > are permitted, we need an explicit tagging mechanism which gives the domain > owner full control over alignment boundaries and eliminates uncertainty > about the domain owner's intent. Parent-child and child-parent > authentication will be important for as long as SPF-alignment is > necessary. For DKIM signatures, I am not convinced that relaxed alignment > should be necessary even though it has some current use because it is > allowed. > An example here would really help. -MSK, participating
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
