wfm thanks for listening A > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Murray S. Kucherawy > Sent: 25 April 2012 21:43 > To: [email protected]; 'The IESG' > Cc: [email protected]; [email protected]; > [email protected] > Subject: RE: Adrian Farrel's No Objection on draft-ietf-marf-as-15: (with > COMMENT) > > > -----Original Message----- > > From: Adrian Farrel [mailto:[email protected]] > > Sent: Wednesday, April 25, 2012 1:32 PM > > To: Murray S. Kucherawy; 'The IESG' > > Cc: [email protected]; [email protected]; > > [email protected] > > Subject: RE: Adrian Farrel's No Objection on draft-ietf-marf-as-15: > > (with COMMENT) > > > > Simply (to my reading - which you may ignore if you feel I am not > > reading clearly) that the thought you captured above is not clear. > > > > I read a rather despairing statement that since DKIM and SPF might not > > be working it is a toss-up whether you have reports being discarded > > because the signature fails or reports being spoofed. > > > > If this is "state of the art" for email systems then maybe there is > > nothing else to say. > > > > It struck me, however, that reports are going to be consumed by > > automatic systems. If I get an email where the signature fails, I can > > perform all sorts of human verification of the email and make a > > judgement call on the validity of the email. A software system > > processing reports is less flexible and so more exposed. > > > > Perhaps the clarity that is needed is the strong hint that "Therefore > > the use of DKIM and/or SPF is RECOMMENDED and it is important to ensure > > that the security infrastructure is working properly." > > [Cc'd to the marf list so that they can check my math here] > > I'm one of those people that's not a fan of normative language in Security > Considerations, so how's this?: > > Perhaps the simplest means of mitigating this threat is to assert > that these reports should themselves be signed with something like > DKIM and/or authorized by something like SPF. Note, however, that if > there is a problem with the email infrastructure at either end, DKIM > and/or SPF may result in reports that aren't trusted or even accepted > by their intended recipients, so it is important to make sure those > components are properly configured. Use of both technologies in > tandem can resolve this concern to agree since they generally have > disjoint failure modes. > > -MSK
_______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
