9091 was experimental, and the results of that experiment have been folded into DMARCbis. This section of the document acknowledges that and formally deprecates 9091: https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-28.html#name-policy-discovery-and-organi
Seth, as Chair, putting this thread to bed. On Sun, Nov 19, 2023 at 4:32 AM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote: > I reviewed the list of DMARC-publishing PSL entries and realized that the > 10-fold increase in PSL DMARC participation was due to the success of RFC > 9091. Private registries are deploying policies to protect their > sub-registry clients. > > It is indeed unfortunate that concerns about PSL accuracy were not raised > prior to that document being published, as it could have included a > requirement to add a PSL tag. > > But since a PSD tag was not specified in RFC 9091, we have a problem: > Registries have published policies to be interpreted as the default policy > for an organizational domain one label lower, but the tree walk interprets > it as an organizational domain, leading to the sibling impersonation > vulnerability. The RFC 9091 defense suddenly becomes an attack vector. > > Options seem to be: > 1) Publish an errata or amendment to RFC 9091 and wait for all > DMARC-publishing PSL entries to add the PSD=Y flag before publishing > DMARCbis, > or > 2) Specify that the tree walk stops at the lower of PSD=N, one label below > PSD=Y, or one label below the PSL entry. This allows domain owners to > correct for missing PSL entries that cause the selected organizational > domain to land too high. (Another tag strategy could be created to allow > domain owners to correct for PSL entries that land too low, but we don't > have that defined now.) > > What will we do? > > Doug Foster > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > -- *Seth Blank * | Chief Technology Officer *e:* s...@valimail.com *p:* This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc