>> The most timely reporting mechanism may be neither HTTPS nor a >> separate email report, but an ESMTP extension that can signal >> authentication errors as they occur. ...
I'm getting the impression that it would be helpful to try and write down some scenarios about what the reports are for. Here's a few: 1. Company has lots of MTAs, collect statistics to see which ones are misconfigured in preparation for publishing policy statements. 2. Company's published policy statements, monitoring to see if MTAs are screwing up. 3. Detecting various sorts of MITM attacks. 4. Detecting other attacks, details unclear. For items 1 and 2, the ESMTP extension won't work, since the MTAs as likely as not won't have it. (If they did, they wouldn't be misconfigured.) For item 3 it probably won't work either since the MITM will block it. As I've said before, I expect that in practice people will send reports by mail because it's easier, but https could work if there is anyone who actually wants to use it. R's, John _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
