On Wed, Mar 29, 2023 at 5:30 AM Trent Adams <tadams= 40proofpoint....@dmarc.ietf.org> wrote:
> Regardless of the outcome of that analysis, though, it does seem > reasonable to ask the reporter to include a tag indicating the method they > employed to discover the policy. They will know which method they use, > it's reasonable to request they include it, and it'll significantly improve > the utility of the reports. Further... while trouble-shooting > authentication problems, it's useful to compare reports from multiple > sources, and when doing so it'll be necessary to distinguish between > discovery methods. > > > > In short, I am strongly in favor of including a tag within the RUA that > indicates which discovery mechanism was employed. For all the reasons > previously discussed, it may not be wise to key off of a version, but we > could use some indicator of discovery. > I'm still noodling on this, but my current view is that this seems like a reasonable thing to allow for in the specification and it might be something we even want to encourage, though we ought not make it mandatory. If it turns out that implementation X doing a tree walk has a vulnerability, or that the tree walk itself is vulnerable somehow, I might not want to announce that I'm subject to attack. -MSK, participating
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
