[dmarc-discuss] S/MIME missing

Paul Midgen pmidge at microsoft.com
Mon Jan 30 09:07:35 PST 2012 

Hi David,

First non-trivial post to the list, congratulations! We should have a plaque or something made up.

Being domain based, and relying on fundamentally domain-based mechanisms, including a per-address mechanism within DMARC would seem counter to its stated scope. That's a rather fundamental change, with deployment and ongoing management ramifications not applicable in DMARC's current form.

It would appear to extend the process of computing a delivery disposition from the MTA into the MUA (this may not universally be true, but it certainly would be at Hotmail). In the current form of the spec, DMARC evaluation lives entirely within the MTA.

While getting the draft ready for this launch, we maintained a list of open issues/suggestions where we all contributed to/debated the pros/cons of a given thing and had a record of it so others could follow the distilled arguments/logic. I'll see if we can get something like that posted for use with this list so that as things come up we can track them.

By all means, for now, feel free to develop the idea on the list.

-p

-----Original Message-----
From: dmarc-discuss-bounces at blackops.org [mailto:dmarc-discuss-bounces at blackops.org] On Behalf Of David Woodhouse
Sent: Monday, January 30, 2012 6:03 AM
To: dmarc-discuss at dmarc.org
Subject: [dmarc-discuss] S/MIME missing

A lot of the organisations that DMARC seems to be aimed at are organisations that are sometimes accused of being negligent because they don't bother to sign their outgoing email with S/MIME.

Sending unsigned email, just like using a non-SSL web site, is such a heinous stupidity on the part of a bank that they ought to be prosecuted for aiding and abetting the fraud that they are actively *training* their customers to succumb to.

Even if you wouldn't quite go as far as that, it has to be agreed that for things like banking, S/MIME gives a full end-to-end method of authentication that SPF and DKIM can not, and really ought to be encouraged.

It would be useful if DMARC would provide a method to indicate that for certain domains¹ all mail shall be rejected if it is not S/MIME-signed.

Can we add S/MIME alongside SPF and DKIM as a supported method of authenticating messages?

--
dwmw2

¹ Actually *addresses* rather than domains would be better. For all the
  other faults and fundamental brokenness of SPF, it did at least have a
  mechanism to indicate a different policy for different addresses at
  the domain, which I don't see at first glance in DMARC.

More information about the dmarc-discuss mailing list