DMARC is a mechanism to fight against mail related abuse (eg. spam emails). And
for that matter it is sufficient to keep DMARC/DKIM/SPF records in DNS. In the
case of STS, the threats we are considering is quite different from DMARC. It
is because of the same reason we are not sticking policy in DNS (with no
DNSSEC). So to answer the question, it is ok to send DMARC over email assuming
the recipients can be reached over email. But in the case of STS, a failure
means the sender is unable to verify the recipient - hence that channel is not
trusted. In such cases HTTPS is preferred over mailto:.
thanks,-binu
From: Aaron Zauner <[email protected]>
To: John R Levine <[email protected]>
Cc: [email protected]
Sent: Thursday, 5 May 2016 9:17 AM
Subject: Re: [Uta] CBOR, XML, JSON (was Re: Updated SMTP STS Draft)
> On 05 May 2016, at 22:04, John R Levine <[email protected]> wrote:
>
>>> People have beens mailing around vast numbers of DMARC reports, most
>>> of which have an application/gzip body. If there have been attacks
>>> using DEFLATE bugs, nobody's gotten around to reporting them.
>>
>> I'm not much worried about attacks on DEFLATE and SMTP traffic. But as I
>> understand from the draft, there's also an option to report back via HTTPS.
>> Here DEFLATE may become a security issue.
>
> I don't see why. HTTP has had gzip encoding since http/1.0 twenty years ago,
> but I only defined application/gzip for mail in 2012. Your browser probably
> decodes deflated pages dozens of times a day.
Exactly. And this is an open security issue today. It's the reason why people
needed to come up with 'first party cookies'.
https://github.com/dionyziz/rupture
> Also, remember the DMARC experience, that in practice nobody is interested in
> http reports if they can send mail. You might ask around and see if you can
> find anyone who would send http reports if they had the option to do so. I
> implemented the http option from the DMARC draft (sort of, given that the
> draft language was a mess) and the number of attempts I saw was zero.
I think STS is quite different from DMARC if many respects, but I'm interested
in the authors opinions on that - would they prefer mail delivery or https?
does it depend on deployment/hosting environment etc.
Aaron
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
