I would drop that whole third sentence, and mention sending such reports may contain PII. The document can refer the reader to non-IETF documents for information, but in general we do technical standards, and stay away from policy decisions in standards track documents.
tim On Mon, Dec 28, 2020 at 10:57 AM Michael Thomas <m...@mtcc.com> wrote: > > On 12/28/20 7:48 AM, Todd Herr wrote: > > not a lawyer, but providing A with some information about a message that > A sent to X seems different, from a privacy perspective, than providing A > with some information about a message impersonating A that B sent to X, and > I thought perhaps the generic warning might mention this distinction, if > possible. Something like: > > Security considerations > > Failure reports provide detailed information about the failure of a > single message or a group of similar messages failing for the same > reason. They are meant to aid domain owners to detect why failures > reported in aggregate form occured. It is important to note these > reports can contain either the header or the entire content of a > failed message, AND THAT THE DOMAIN OWNER RECEIVING THE > REPORTS MAY NOT BE THE ORIGINATING PARTY FOR THE MESSAGE(S) > REFERENCED IN THE FAILURE REPORTS. IN ANY CASE, THEY may contain > personally identifiable information, which should be considered when > deciding > whether to generate such reports. > > > > This is a tempest in a tea pot. This is an issue with the originating > domain and nobody else. They can send it to a third party even if the url > lists them to receive the report first. The receiving domain can't know > what they will do with the report, and the originating domain has already > seen the mail in clear text before it was sent. IETF should stay out of the > business of being nannies that it has no way to enforce. > > Mike > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc