On 09/Sep/11 19:54, Murray S. Kucherawy wrote:
> Hello? Anyone out there?
This was discussed in a different thread...
> The current document says the reporting address is either a local-part
> (a userid) or a full address. If it’s a local-part, then “@” followed
> by the relevant domain is used to compose the full reporting address;
> for an ADSP report, that’s the From: domain, and for a DKIM failure
> report that’s the “d=” domain. So there are reasonable defaults, but
> it does allow one to stick any address at all there. I seem to recall
> it started out that way, then switch to local-part-only, then back to
> where it is now. Does everyone concur that we want to allow that?
I agree with what John said,
The point is that for this not to be a DDoS vector, there needs to
be some way to validate the address before sending it reports.
http://www.ietf.org/mail-archive/web/marf/current/msg01273.html
I proposed a DNS-based validation, replying to his message.
> If we do, I think this warrants text in Security Considerations
> acknowledging the attacks this enables, and talking about why we think
> that’s okay.
I don't think it's okay. Without validation one cannot lightheartedly
use discovered addresses in different domains, IMHO.
_______________________________________________
marf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/marf
