Opened 3 months ago

Last modified 5 days ago

#99 assigned defect

Any proposed extension to use a https failure report must provide authentication

Reported by: mike@… Owned by: todd.herr@…
Priority: minor Milestone:
Component: dmarc-bis Version:
Severity: - Keywords:
Cc:

Description

As in issue #98, failure reports are subject to spoofing and while just adding a spf/dkim requirement to authenticate the mail as coming from the legitimate sending domain, how such an authentication requirement for a https method is far from clear. In this use case the sender is an https client and as such doesn't benefit from existing TLS based methods of authentication (client certs are extremely rare). Naively that would require the sender to have some sort of account with the receiver which seems very unattractive and unscalable.

one possible workaround would be to fashion the report sent over https POST as an actual email identical to the email-based reports and require it to be DKIM signed on the sender. There may be other ways to solve this, but the larger issue is that it must be solved.

Change History (2)

comment:1 Changed 5 days ago by todd.herr@…

  • Owner set to todd.herr@…
  • Status changed from new to accepted

comment:2 Changed 5 days ago by todd.herr@…

  • Status changed from accepted to assigned
Note: See TracTickets for help on using tickets.