The only justification for dropping the PSD would be to put the domain owner in control of his organizational boundary. This requires:
- The ability for the evaluator to determine whether the domain owner designed his data on RFC 7489 or on DMARCbis. - The ability for the domain owner to define organizational boundaries anywhere he desires, so that the monolithic organization assumed by RFC7489 can be broken into sub-organizations as appropriate to the domain. - The ability for the evaluator to know that the organization definition cannot be manipulated to create false authentication based on false sibling domain alignment. We have failed in this endeavor, and the currently proposed DMARCbis will create evaluation chaos. Evaluators will not know which algorithm to use for correct interpretation of DMARC data, and domain owners will not know which algorithm will be used by evaluators. We could not have done worse if we had tried. A serious attempt to define a usable DMARCbis requires: - A definition of "private registry" and its impact on DMARC trust. - Tagging of all DMARC policy data to indicate whether it is designed for RFC 7489 or DMARCbis. - Tagging of all DMARC policy data to indicate whether it implies an organization top, organization middle, organizational bottom, or organization top-and-bottom. - Documentation of the unnecessary risks created by sibling alignment, most likely to include phase-out. - Controls to prevent a malicious domain owner from asserting that his registry parent is part of the same organization, for the purpose of impersonating a sibling or parent domain. We should also drive DMARC toward strict alignment. Because of the overhead and the risk of organizational boundary detection, we should state that all DMARC-compliant messages should be signed, and the signature should provide strict alignment. Looser definitions are used to cope with the abundance of messages that are not DMARC-compliant but must be accepted. DMARC-compliant messages should not need alignment guesswork. Doug
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
