On Friday, April 05, 2019 10:25:57 AM Benjamin Kaduk via Datatracker wrote:
> I'm not sure I fully understand the security consequences of causing
> the SPF macros %{s} and %{l} to never match when the local-part contains
> non-ASCII characters, but they seem potentially quite bad. That is, if
> the policy is intending to limit allowed senders to a specific list (or
> block specific senders), would an attacker be able to avoid the
> restriction by using a non-ASCII local-part?
For the working group's consideration:
I think this part of the discuss is a result of the draft appearing to specify
a change in behavior for SPF, when all it's really doing is documenting the
consequences of how EAI, SPF, and DNS interact.
There's no change in security considerations because there's no change in the
protocol. We're merely more clearly documenting the interaction. I'll leave
it to the chairs/author/shepherd to decide how to respond to the discuss, but
I think "we're just documenting how it implicitly works" is a more likely road
to success than "meh, no one really uses that".
Scott K
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
