eyeofthenico
commented
8 years ago Per discussion, we will add section in security considerations. Will investigate in future version how to sign source.
Open eyeofthenico opened 8 years ago
eyeofthenico
commented
8 years ago Per discussion, we will add section in security considerations. Will investigate in future version how to sign source.
abrotman
commented
8 years ago Hrm, what did we decide to add? I don't recall (or it may have been after I left)
prbinu
commented
8 years ago I think DKIM validation should be sufficient for reports sent over email. HTTPS POST may optionally leverage some signature using existing DKIM key. AFAIK, similar reporting stds such as DMARC (send over email) and CSP (over HTTPS) do not have any validation features.
Though it is a good feature, I would defer it to next revision.
How do we validate trust in reports? Can anyone at domain.com sent SMTP report assuming DKIM validation? What about HTTPS POST?