I think the general point is that when DMARC was originally written, there was a general expectation that forensic reports were essential to get domains to authenticate properly, and would be generally provided.
We now know that forensic reports come from only a handful of places, mostly due to PII considerations due to how reports are redacted in practice. A privacy consideration should say such a thing, specifically clarify what may be in a report that could be categorized as PII even after intended redaction, but refrain from legal advice. Seth, with schrodinger's hat On Fri, Dec 18, 2020 at 12:05 PM John R Levine <jo...@taugh.com> wrote: > > Info which is encoded in such a way that only the sender can understand > rises > > no PII concern, IMHO. A sender could cache sent messages and devise how > to > > encode the corresponding filenames in DKIM selectors. Reporting just > the > > failed signature would leak the whole message by reference. So what? > > Now he knows which forwarded recipients are talking with his users. > > >> Also, whether we use the current Org domain heuristic or a tree walk > >> to find a higher level DMARC record, there is no way to reliably tell > >> the relationship between a domain publishing the rua or ruf tag and a > >> subdomain being reported. Partly this is the Holy Roman Empire > >> problem, partly the PSL is just incomplete and always will be. > > > > Right. A user can use a submission server which is trusted not to relay > > messages to third parties. Yet, ruf= can point to a completely > different > > environment. > > No, that's not what I was talking about. I am the registry for > someplace.ny.us, and the county government is co.someplace.ny.us. I get > all of the DMARC reports for the county's mail. Oops. I'm not being > hypothetical here. > > > To avoid that risk, one can send just the header, and redact it > > appropriately. Should the spec give practical advice about how to do > that? > > Since it doesn't solve the problem, no. > > >>> Any lawyers in this WG? > >> > >> The IETF most definitely does not provide legal advice. > > > > That sounds more like a bug than a feature. We should at least check > that > > any advice given is legally sound. > > There are 195 countries in the world, and many like the US have states or > provinces with different legal systems. Legally sound where? > > R's, > John > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > -- *Seth Blank* | VP, Standards and New Technologies *e:* s...@valimail.com *p:* 415.273.8818 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
