Hello? Anyone out there? From: [email protected] [mailto:[email protected]] On Behalf Of Murray S. Kucherawy Sent: Thursday, August 18, 2011 2:15 PM To: [email protected] Subject: [marf] Revisiting reporting addresses
Referring to draft-ietf-marf-dkim-reporting... The current document says the reporting address is either a local-part (a userid) or a full address. If it's a local-part, then "@" followed by the relevant domain is used to compose the full reporting address; for an ADSP report, that's the From: domain, and for a DKIM failure report that's the "d=" domain. So there are reasonable defaults, but it does allow one to stick any address at all there. I seem to recall it started out that way, then switch to local-part-only, then back to where it is now. Does everyone concur that we want to allow that? If we do, I think this warrants text in Security Considerations acknowledging the attacks this enables, and talking about why we think that's okay. Could someone that remembers this discussion better than me propose some text along those lines? This too has been implemented in OpenDKIM and its antecedent for a long time. Thanks, -MSK
_______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
