> On Jan 3, 2018, at 12:05 AM, Ranjana Mukhia <[email protected]> wrote:
>
>> Neither DANE nor STS provide message origin authenticity,
>> these are hop-by-hop security mechanisms that authenticate
>> only the receiving system, not the sender.
>
> 1.What will be the provision for the message origin authenticity?
Out of scope for UTA. TLS for SMTP is a hop-by-hop mechanism, while
message (sender and content) authenticity is an end-to-end problem.
> 2.How are we going to authenticate the Sender?
This is a difficult question.
Do you mean the author of the content, or the entity responsible
for sending the message, or the entity that elected to forward
the message to the recipient? They are not always the same.
If your goal to protect users from "phishing", then no amount
of technology will prevent gullible humans from falling victim
to manipulation. A well-crafted piece of social engineering does
not need to forge a particular sending address to be effective.
> Can we use DMARC for this?
Use of DANE or STS neither requires nor precludes the use of SPF,
DKIM, DMARC, ... I personally don't publish, check or recommend
any of these. My view on DKIM is largely neutral to mildly positive
when used as part of a reputation-based whitelisting system. My view
on SPF is somewhat negative on technical grounds. My view on DMARC is
that it is a terrible idea foisted on the Internet at large as a
cost-shifting exercise by the large free email providers. If I could
waive a magic wand, nobody else would honour the (p=reject) DMARC
policies published by said providers or publish similar DMARC policies.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
