I plead mea culpa in only sort of following the marf work without providing input. This is of interest to me but I'm feeling that I am spread kind of thin these days. I will try to give a deeper read and give more meaningful input based on Murray's request. One comment inline.
Mike On Wed, Dec 7, 2011 at 8:28 PM, Frank Ellermann <[email protected]> wrote: > On 7 December 2011 21:12, Murray S. Kucherawy <[email protected]> wrote: > >> I haven’t had much in the way of feedback on it except through targeted >> requests for reviews. > > Some quick observations: s/4871/6376/, s/sender/signer/ (or whatever is > state of the art in DKIM terminology), and maybe say "alleged author" if > that is the correct ADSP term. It was straight forward to find _where_ > the marf-reporting-discovery will find its TXT, for marf-dkim-reporting > it took me some time to check RFCs 6376 + 5617. I think (could be wrong) > that I understand the ADSP part, but I'm less sure about the DKIM part. > > The SPF draft has an example where example.org wants reports at another > domain [email protected] That makes me nervous, the opposition > could publish malicious DNS records for some kind of indirect attack. > > I don't see why that's necessary for SPF or ADSP. It might be different > for broken or forged DKIM signatures, but generally I think that anybody > "doing something" with mail at a domain where they can add TXT records > can also arrange a postmaster@ or similar mailbox at this domain. > Some organizations (such as my own) use a 3rd party service for handling authentication FBL emails. We don't use ADSP and the mail flows involved are (all) DKIM signed. I recognize the risk you indicate but I think there are much easier attack vectors than this. > For ri=1 (non-zero) how long are receivers expected to wait for another > incident? If you want ri=9, and I get only 8 broken signatures within > a day, does this mean that you want no report because 8 is less than 9? > > Or do you want no second report before I got 2*9 broken signatures, no > matter how long it takes? It is not clear for me why receivers would > ever wish to follow detailed instructions about their reports, even > including MUSTs and MUST NOTs in section 5. > > For ADSP ro=u I'm not sure what it is, is this simply "all minus ro=s"? > Should the ADSP ro=u explanation (5.2) say "and" instead of "but"? > > The rf=smtp + rs=... magic is apparently something in the direction of > the SPF exp= magic. Or maybe not, please add more than one example for > rf=smtp + rs=... tricks (or a pointer if this is explained elsewhere.) > > For ADSP + DKIM the marf-reporting stuff should fit into the relevant > TXT records, for SPF I'm not sure. If you (= the WG) intend to create > a general _report discovery mechanism it would be confusing to create > additional specific ADSP + DKIM + SPF mechanisms, and vice versa, but I > have no idea or opinion what's better (specific vs. general _report). > > -Frank > _______________________________________________ > marf mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/marf _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
