> -----Original Message----- > From: Adrian Farrel [mailto:[email protected]] > Sent: Wednesday, April 25, 2012 1:32 PM > To: Murray S. Kucherawy; 'The IESG' > Cc: [email protected]; [email protected]; > [email protected] > Subject: RE: Adrian Farrel's No Objection on draft-ietf-marf-as-15: > (with COMMENT) > > Simply (to my reading - which you may ignore if you feel I am not > reading clearly) that the thought you captured above is not clear. > > I read a rather despairing statement that since DKIM and SPF might not > be working it is a toss-up whether you have reports being discarded > because the signature fails or reports being spoofed. > > If this is "state of the art" for email systems then maybe there is > nothing else to say. > > It struck me, however, that reports are going to be consumed by > automatic systems. If I get an email where the signature fails, I can > perform all sorts of human verification of the email and make a > judgement call on the validity of the email. A software system > processing reports is less flexible and so more exposed. > > Perhaps the clarity that is needed is the strong hint that "Therefore > the use of DKIM and/or SPF is RECOMMENDED and it is important to ensure > that the security infrastructure is working properly."
[Cc'd to the marf list so that they can check my math here] I'm one of those people that's not a fan of normative language in Security Considerations, so how's this?: Perhaps the simplest means of mitigating this threat is to assert that these reports should themselves be signed with something like DKIM and/or authorized by something like SPF. Note, however, that if there is a problem with the email infrastructure at either end, DKIM and/or SPF may result in reports that aren't trusted or even accepted by their intended recipients, so it is important to make sure those components are properly configured. Use of both technologies in tandem can resolve this concern to agree since they generally have disjoint failure modes. -MSK _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
