I just reviewed the draft, without attempting any reconciliation to the ARF document on which it depends, and found it to cover all the expected bases.
My request on Security Considerations is still applicable. It comes from a perspective that has developed over the last 6 years of constantly battling email threats. When a "clean" mail stream is one with "only" 50% unwanted traffic, all communication should be informed by the pervasiveness of threats. As Rosie the Riveter said, "Loose lips sink ships!" That principle means that I communicate differently depending whether I am talking to a friend, a foe, or an infrastructure service that serves both. Enemies get silence, friends get information. Infrastructure only gets information that will not be passed along to does. The adaptation to enemies should have begun with Email Core. With so many new documents past last call, the opportunity has mostly been lost. But I surface ideas as I understand their importance, even if the timing is inconvenient. Of all the in-proceess documents, this may be the least important one for acknowledging threats caused by information leakage to foes. Nonetheless, the threat exists and I think it is time to document it. Doug Foster On Sun, Jun 29, 2025, 5:17 AM Steven M Jones <[email protected]> wrote: > On 6/29/25 1:25 AM, Alessandro Vesely wrote: > > > > Let me remind you there were discussions and changes in November and > > January. All the issues were closed. At that point the draft was > > considered ready, until the surprise closure in March. > > Those changes were made in preparation for the Working Group wrap-up. > And let's be clear, that wrap-up was not a surprise - Murray had been > very clear about his intentions and the timeline. Despite that, we > didn't get it submitted for the broader review process that leads to > publication. > > Looking at the draft I don't see it as especially "incomplete," but ... > > The Privacy Considerations section is a significant portion of the main > document (excluding the appendix), and spells out the exposure of > forwarding / mailing list membership. But are there other privacy > considerations that haven't been documented? > > The DDoS potential is mentioned in section 5 and at the end of 2 -- does > that need to be mentioned explicitly in Security Considerations? Does it > need to be mentioned in the Introduction, as PII is? > > What else is lacking? > > > --S. > > > _______________________________________________ > dmarc mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
