smtp-sts icon indicating copy to clipboard operation
smtp-sts copied to clipboard

Published 20 hours ago verified publisher icon mrisher

SMTP STS Reporting: trusting reports

Open eyeofthenico opened this issue 8 years ago • 3 comments

How do we validate trust in reports? Can anyone at domain.com sent SMTP report assuming DKIM validation? What about HTTPS POST?

eyeofthenico avatar Oct 24 '16 13:10 eyeofthenico

Per discussion, we will add section in security considerations. Will investigate in future version how to sign source.

eyeofthenico avatar Oct 25 '16 13:10 eyeofthenico

Hrm, what did we decide to add? I don't recall (or it may have been after I left)

abrotman avatar Nov 14 '16 18:11 abrotman

I think DKIM validation should be sufficient for reports sent over email. HTTPS POST may optionally leverage some signature using existing DKIM key. AFAIK, similar reporting stds such as DMARC (send over email) and CSP (over HTTPS) do not have any validation features.

Though it is a good feature, I would defer it to next revision.

prbinu avatar Nov 15 '16 19:11 prbinu