Does it makes sense for the DMARC policy to not only set policy and report on DKIM and SPF but also how the client authenticates via TLS?
As it stands today, many companies are setting up independent TLS connections between peers to accommodate the various PII laws that require encryption of data in transit, and there is no central location to place policy. The DKIM RFC describes how some deployments may have a DKIM selector per user to accommodate traveling laptops (or something to that effect). If we were to include TLS certificate information in a policy, that could allow SPF to be just as portable. And keeping in the spirit of DMARC, no PKI is needed if the implementation used certificates in DNS (TLSA) http://tools.ietf.org/html/draft-ietf-dane-protocol-23 I've seen a few posts that talk about MUAs displaying DMARC-verified messages with a golden key illustrating it's sent secure. I understand that MUAs are out of scope for the DMARC spec, but I want to mention that feature will be confusing to my end users and customers as it stands today. I'm in the financial vertical and work with HIPPA data and other material relevant to advisory services,benefits, life insurance. As a result we are required to encrypt all data in transport. In fact, I've worked with representatives from DMARC's sponsors (Bank of America, and Fidelity among others) to set up Enforced TLS between our companies (NFP). The reason for this was to increase security in lieu of a portal-based-encryption such as Voltage or Zixmail. Many of our end users and customers noticed how the contents of the message changed and they aren't requiring a login to a separate website for PII data. They thought TLS made the contents insecure in transit, when this isn't the case. So what are your thoughts? Should DMARC also incorporate some level of TLS encryption policy and reporting, especially considering the outcome of the policy will be reflected in the MUA? Should something else be created such as DMARC-TLS? It makes sense to bring this up here and now because the right MTA developers are addressing message authentication via DNS policy, and TLS is used for message authentication when the subject name is trusted and aligned with RFC5322.From. Thanks for your consideration, Chris Lamont Mankowski
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html