These are the potential data harvesting strategies that I can envision.
Are there others?
Data harvesting by originating domain
(I don't see how data harvesting by the originating domain can be
considered a privacy violation, but these are the strategies:
- Report data can be matched to
On Tue 25/Apr/2023 21:08:56 +0200 John R Levine wrote:
Looks mostly good to me. By the way, that bit about a malicious
Doamin Owner is not hypothetical, and I don't think I'm malicious.
Just make it A Domain Owner ...
Agreed, just Domain Owner then.
Alessandro Vesely wrote on 2023-04-26
On Tue 25/Apr/2023 21:08:56 +0200 John R Levine wrote:
6.1. Data Exposure Considerations
Aggregate reports are limited in scope to DMARC policy and
disposition results, to information pertaining to the underlying
authentication mechanisms, and to the domain-level identifiers
involved
6.1. Data Exposure Considerations
Aggregate reports are limited in scope to DMARC policy and
disposition results, to information pertaining to the underlying
authentication mechanisms, and to the domain-level identifiers
involved in DMARC validation.
Aggregate reports may expose
Brotman, Alex wrote on 2023-04-25 19:32:
I'm not disagreeing with the idea below, just that by omitting this in the
draft, we could leave it open to interpretation that it *always* will be a
privacy violation. This could justify decisions by some receivers to decline
to send reports.
t;Otherwise, I'll remove 6.3.
>
>--
>Alex Brotman
>Sr. Engineer, Anti-Abuse & Messaging Policy
>Comcast
>
>> -Original Message-
>> From: dmarc On Behalf Of Scott Kitterman
>> Sent: Tuesday, April 25, 2023 1:14 PM
>> To: dmarc@ietf.org
>> Subject: Re:
. Engineer, Anti-Abuse & Messaging Policy
Comcast
> -Original Message-
> From: dmarc On Behalf Of Scott Kitterman
> Sent: Tuesday, April 25, 2023 1:14 PM
> To: dmarc@ietf.org
> Subject: Re: [dmarc-ietf] [EXTERNAL] Re: I-D Action: draft-ietf-dmarc-
> aggregate-reportin
Assuming for a moment that single user domains can't have a privacy violation
(I'm not sure I agree), how about a two person domain? Three? Unless it's
impossible to have a report that contains personal information, mail receivers
(report senders) absolutely can't rely on the assertion in
John is not alone, I too can recognize single posts. However, I'd argue that
in such cases there is no privacy violation. You violate privacy when you
collect personal data of (several) people *different from yourself*.
Best
Ale
On Tue 25/Apr/2023 18:36:34 +0200 Scott Kitterman wrote:
My
My suggestion is delete all of it. It's accurate for some cases, not for
others. If you want to keep any of it, I think it needs to be properly
caveated. I expect that would be a Sisyphean task that's not worth the effort.
Scott K
On April 25, 2023 2:54:46 PM UTC, "Brotman, Alex"
wrote:
> As explained in 6.1, that's not actually true if the domains are small enuogh.
> In some of my tiny domains I can often recognize individual messages I've
> sent. I'd just delete these sentences.
I'd argue that you're in a (mostly) unique situation where you're the sender
and the report
11 matches
Mail list logo
