On Thu, Dec 16, 2021 at 3:52 PM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> We both know exactly what causes messages to lose credentials: > - A record that is only SMTP validated, which is then forwarded without > SMTP rewrite > - A message which is forwarded after modifications, such as the ubiquitous > "this message received from an external source". Of course, it could be a > mailing list modification also. > Yes, I'm aware of this aspect of message authentication. That wasn't my question. The point of an NP test was, in my understanding, to identify names that > were never valid in any circumstance, like 'junk.junk.ietf.com", without > any dependencies on message path. Why would we want to create a > duplicate of the mailing list problem? > I understand the first sentence. I do not see how the second follows. However, if MX/A/AAAA is really the right test for fraudulent identifiers, > then we need to open a CVE against all implementations of RFC7489, because > implementations based on that spec have been confidently asserting honest > identifiers without checking the MX/A/AAAA condition. > I don't follow this either. Why do I need to provide case studies? Isn't the burden of proof on the > team that told us that MX/A/AAA was absolutely the best possible test to > use? > Because I'm trying to understand your concern. Sure, it's reasonable for us to question our assumptions. But if I don't understand how you get your premises, or how your premises lead to your conclusions, am I being unreasonable when I ask for clarification or concrete examples? -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
