>What if I want to send sensitive information about delivery failures? I.e. the >way a MITM was attempted?
It's probably not a great idea to send that kind of info unless you already have a relationship with the recipient. >See above. Opportunistic TLS is the wrong approach here in my opinion. I never >liked it and I never will. I think the reasons >are obvious. Exactly. If you want to receive stuff securely, you need to publish an end-to-end encryption key, most likely PGP or S/MIME. Of course, then there's the question of how you know the key was published securely and you're already halfway down the rabbit hole. I suppose you could try to go with https, but it's got its own MITM problems with overly compliant CAs issuing wildcard certs to parties you and I don't think should have them. DMARC experience suggests that you should send routine stuff using automated processes, and if there's something really interesting, make arrangements with the other party. R's, John _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
