Re: [apps-discuss] The authentication server id, was rfc5451bis

Alessandro Vesely <vesely@tana.it> Thu, 28 March 2013 17:08 UTC

Return-Path: <vesely@tana.it>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4A3521F8ECC for <apps-discuss@ietfa.amsl.com>; Thu, 28 Mar 2013 10:08:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.719
X-Spam-Level:
X-Spam-Status: No, score=-4.719 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JNL2szPPPblm for <apps-discuss@ietfa.amsl.com>; Thu, 28 Mar 2013 10:08:05 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by ietfa.amsl.com (Postfix) with ESMTP id 23E3C21F8E63 for <apps-discuss@ietf.org>; Thu, 28 Mar 2013 10:08:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1364490482; bh=2sSSvhLq699OOXwSRvQj/kLbJ9bZXzoIFoqEgWSqjYs=; l=4463; h=Date:From:To:References:In-Reply-To; b=UZbt2GEvp2+bKCoRiinNY/QcKHxhrcXGkrJXHZRFGymR/2PeeKmYCp7Oo9BIiBF+z bAbBkPC5R+WssGKYD4+1YhVHuRdcf6vmlnXx86zZL2zeYY5W4wgufCQ06dYvdlFawq R+L4srNlewrJ7klmETbR1c/wghPfnicqmqzPsvVo=
Received: from [172.25.197.101] (pcale.tana [172.25.197.101]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Thu, 28 Mar 2013 18:08:02 +0100 id 00000000005DC039.00000000515478F2.000008F4
Message-ID: <515478F2.9070702@tana.it>
Date: Thu, 28 Mar 2013 18:08:02 +0100
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: apps-discuss@ietf.org
References: <CAL0qLwbgjnt8Msofok3ExKBmChtQPfMEFgrrZBimEzU5CYgSjA@mail.gmail.com> <514432BC.1010805@tana.it> <51443483.9030805@tana.it> <CAKHUCzwBrEPSVc4VtJMKZLm+5it3h7dLiW+YZ=_xO2OwP_rLoA@mail.gmail.com> <51458A59.8040206@tana.it> <CAL0qLwYEe9Wmvr-+eZL_yqChRf+a+11zRXCmW2Md9PGvH9PK-g@mail.gmail.com> <514DFAC8.7040406@tana.it> <CAL0qLwbqNUbPOYbXQEzM6X4=RLiqCQG2TbsO9A8PaE+a3Z3oNQ@mail.gmail.com> <514EEBB7.40205@tana.it> <CAL0qLwZZ3iB1BwtfK6TxooEzbTwSxm-KZYgcMMdPUp3OyMpMag@mail.gmail.com> <515040D2.1080409@tana.it> <CAL0qLwa4+na-bAauXN1cySyxLxrKWETONcVLc-Ncf5tdyhY+4w@mail.gmail.com> <51519767.4060808@tana.it> <CAL0qLwYU4CwN4=xFpb5wzSfjmsegxncy95KBP7M2irNf1gR1hg@mail.gmail.com> <5151F698.60309@tana.it> <CAL0qLwZKJ1mGPcXDhYFNA_ZM7jByEP3WWHMmHEx-pTVtGNT9jQ@mail.gmail.com> <5152E2DB.4030807@tana.it> <CAL0qLwZ5-GAJDAS1Wd4y9cFaOk5zfM2UDNdzUh82v+Y=0wRvkA@mail.gmail.com> <51533D3D.20702@tana.it> <CAL0qLwap9XuD0ahnoT4R33Nnbus4i_Ksg9QDS7RsVzqWi8xc2A@mail.gmail.com>
In-Reply-To: <CAL0qLwap9XuD0ahnoT4R33Nnbus4i_Ksg9QDS7RsVzqWi8xc2A@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [apps-discuss] The authentication server id, was rfc5451bis
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2013 17:08:07 -0000

On Wed 27/Mar/2013 20:53:32 +0100 Murray S. Kucherawy wrote:
> On Wed, Mar 27, 2013 at 7:41 PM, Alessandro Vesely <vesely@tana.it> wrote:
> 
>> Another reason to review implementations is the version requirement of
>> Section 2.4.  Don't you need to say explicitly that the field version
>> being specified is "1"?
> 
> The version is indeed 1, but it is optional in the ABNF.

Fine.  But since the spec says:

   if a parser finds a version after an authserv-id
   that it does not explicitly know,

then, a parser designed after 5451bis has to _guess_ that the one it
knows is indeed "1".

>> It disables transitive extensions of trust.  The assumption that the
>> producer has the same list of trusted identities as the consumer
>> imposes restrictions on the trust boundary.
> 
> But this isn't a new requirement.  It has always been the case that the
> consumers need to know how to identify the instances produced by its own
> ADMD.

My point was that the producer needs to know the list trusted by the
consumers, in order to remove spoofed fields.

> I don't think this document (old or new) goes to great lengths to establish
> transitive trust mechanisms, and shouldn't unless there are implementations
> that do so.

I agree that it shouldn't:  Section 1.2 is clear about being agnostic
on the trust boundary.  However, if the local definition of "trust
boundary" is such that a producer doesn't know the whole trust-list,
then the MUST in the first paragraph of Section 5 is not actionable.

>> Do you have an idea of what percentage of opendkim users configure
>> those regexps complicatedly?
> 
> I don't think there are any regular expression configurations in
> opendkim with respect to A-R.

Oops, I thought the patterns in "RemoveARFrom" were regular
expressions rather than plain strings.

> Either way, no, I have no idea how many people are using.  I recall
> only one or two ever discussing it.

Yeah, not worth overworking on that.  Sorry I raised that point.

>>> The document already goes as far as saying one can also remove
>>> all of them if it chooses, just to be safe.

Besides simplicity and security, that choice allows extensibility of
the trust boundary.

>>>> Renaming rather than removing solves some issues with debugging and
>>>> signature verification, so I'd consider it anyway.
>>>
>>> True, but the agent removing suspect header fields could also log or
>>> otherwise record them as it does so.
>>
>> That needs to be done cleverly to avoid losing the field's position,
>> and is unpractical for signature verification.  Another possibility is
>> to comment out the field content.  Like logging, that allows
>> additional explanations with it.  If the header was signed with the
>> relaxed algorithm there's no need to worry about added whitespace.
> 
> Any modification, including removing or altering in place, risks clobbering
> otherwise valid signatures.  They aren't different in that regard.

Renaming by prefix insertion allows recovery at very small risk, with
very simple code:

  dkim_header(dkim, start + dkim_unrename,
     eol - start - dkim_unrename);

where dkim_unrename is either 0 or the length of the prefix inserted
by the upstream agent.  Note that the code above doesn't know whether
the field is actually signed or not.

>> Perhaps the spec can mention the three possibilities, delete, rename,
>> and comment-out, and then pretend that the term "remove" means any of
>> such dismissals, when used for the A-R header field in the rest of the
>> document.  However, five times the I-D uses the term "delete" instead.
> 
> Do you know of any extant or proposed implementations of the non-delete
> options?  I don't think it's appropriate to revise a Proposed Standard by
> peppering it with a giant "maybe".

Courier-MTA does rename.  That will go in Debian and other distros
when released.  I discussed the A-R issue with Sam Varshavchik and was
initially unhappy with the solution he came up with.  Now that I have
experienced configuring and coding my filter to work that way, I must
say he was right:  It's simple, secure, and can be undone at will.

I'm not proposing to standardize renaming, since that should consider
also conventions on what prefix to use, and maybe even how to sign in
the presence of such prefix.  But I think the standard should avoid a
"MUST delete", as dismissals by any other means sort the same effect.