Re: [apps-discuss] Revised DMARC working group charter proposal
Scott Kitterman <scott@kitterman.com> Mon, 15 April 2013 20:02 UTC
Return-Path: <scott@kitterman.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9529621F8F7A for <apps-discuss@ietfa.amsl.com>; Mon, 15 Apr 2013 13:02:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hwGFJ2eXdS-j for <apps-discuss@ietfa.amsl.com>; Mon, 15 Apr 2013 13:02:58 -0700 (PDT)
Received: from mailout02.controlledmail.com (mailout02.controlledmail.com [72.81.252.18]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC8E21F8F76 for <apps-discuss@ietf.org>; Mon, 15 Apr 2013 13:02:57 -0700 (PDT)
Received: from mailout02.controlledmail.com (localhost [127.0.0.1]) by mailout02.controlledmail.com (Postfix) with ESMTP id 4AD9F20E40FE; Mon, 15 Apr 2013 16:02:57 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1366056177; bh=DXY3geJf7W4yDJVVv82P76A6S8hSLbHpZWzZC3J3BxU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=gk/asFl4UljQ2RL37l5tSVmVcwxNt6bDU7si7BWS6rZUEd1eZTyowIR8P9laJV0eW oShmo/FbWHXKqA5xcHTLYXVD7S9zx1eE1DidLjYc7OLvdeUJIZLsOkrcEke4xJvXwU IIig7M//tYFwrrLe5ganJDUh07BFxelBqvE9EHG8=
Received: from scott-latitude-e6320.localnet (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout02.controlledmail.com (Postfix) with ESMTPSA id 2242B20E4076; Mon, 15 Apr 2013 16:02:56 -0400 (EDT)
From: Scott Kitterman <scott@kitterman.com>
To: apps-discuss@ietf.org
Date: Mon, 15 Apr 2013 16:02:56 -0400
Message-ID: <3121454.RJqk1xG6s9@scott-latitude-e6320>
User-Agent: KMail/4.9.5 (Linux/3.5.0-27-generic; KDE/4.9.5; i686; ; )
In-Reply-To: <5169438B.3010400@dcrocker.net>
References: <CAL0qLwbcH-yOj0MxfGghQZPwGMt5mRBY5U5zBxdXc1oX6SogHA@mail.gmail.com> <0d7d06e2-a54b-45ec-a33f-dbfa2b20bc0e@email.android.com> <5169438B.3010400@dcrocker.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-AV-Checked: ClamAV using ClamSMTP
Subject: Re: [apps-discuss] Revised DMARC working group charter proposal
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2013 20:02:59 -0000
On Saturday, April 13, 2013 04:37:47 AM Dave Crocker wrote: > Scott, > > On 4/12/2013 11:00 PM, Scott Kitterman wrote: > >> So Scott, what changes to the DMARC base spec are you seeking and > >> why and who wants them and how do we know this? > > > > In part, I don't. DMARC has been developed in private by a relatively > > small group of people. I think it's not unreasonable to consider the > > spec might be improved by broader review. > > It's entirely reasonable. That's why the draft charter provides for > such future effort: "However, if resolving any of the issues listed in > the areas of focus below does require changes to the base specification, > or if the specification needs to be revised to correct technical errors > deemed essential for proper use, the group will recharter accordingly." > > The specification has been public for considerably more than a year, > including a press release and a public discussion list, with adoption > covering roughly 60% of the world's mailboxes. That's not a small base > of experience. So there's been plenty of opportunity for community > review and input, including requests for changes. And yet, there is so > far no such list of requests. Not true. There was a long thread, almost a year ago on the interaction of DMARC policy with policy aspects of other domain authentication technologies (SPF and DKIM/ADSP) that starts here: http://www.dmarc.org/pipermail/dmarc-discuss/2012-July/001104.html While some of the issues addressed in that thread have been addressed (the most critical one that DMARC policy of none should not alter processing for SPF or DKIM/ADSP in particular), I don't think the issue is fully resolved. Here's the current, relevant snippet from the draft submitted to the IETF: > DMARC-compliant Mail Receivers SHOULD disregard any mail directive > discovered as part of an authentication mechanism (e.g., ADSP, SPF) > where a DMARC policy is also discovered that specifies a policy other > than "none". {R7} To enable Domain Owners to receive DMARC feedback > without impacting existing mail processing, discovered policies of > "p=none" SHOULD NOT modify existing mail disposition processing. > Note that some Mail Receivers may reject email based upon SPF policy > mechanisms before email enters DMARC-specific processing. I think the initial SHOULD represents a layering violation that is technically inappropriate from a design perspective, will substantially complicate implementation, and is not needed. Details to follow. > > Things that were written > > > > by people who already "know" what the spec is supposed to mean are > > often less clear to those outside the group. Until a broader group > > actually reviews it, there's no way to know. > > You are correct, of course. However the range of implementers now > goes considerably beyond the original group, and yet there is so far no > concrete list of interesting changes being requested. The current implementers don't need the IETF spec. The RFC should be oriented towards future implementers (Ironic note: I was on the other side if this exact question about 4408bis in SPFbis and lost - I am now convinced that this view is the right one). Absent a working group to actually do some independent review, there's no way of knowing what would come up. The currently proposed charter, by design, minimizes the incentive to actually do so. The only IETF review of the base spec would be a, by design, very limited scope review by the IESG. > > That's not a matter of changing the protocol, but improving the text. > > Well, that's what we originally submitted for chartering, but at > least one AD didn't like it. Right, but the direction that the AD didn't like it was that the previous proposal constrained the working group too much. Removing the work entirely from the working group seems like doing the opposite of addressing the concern. It seemed to me that there were a number of reasonable suggestions, including coming from the AD in question, that did a nice job of balancing the concerns of existing implementers without handcuffing the proposed working group. I think the current draft charter is an over-reaction in the wrong directions. > > The one thing I think does need to be changed is the policy override > > approach. Changing SPF policy based on DMARC is a layering violation > > at the very least. > > Sorry, but I'm missing the reference. Please point to the section > of text you don't like and describe the kind of change you are seeking. > > (FWIW, on reflection, I'm not a fan of the term policy override, since > it implies that the recipient has somehow been bound to conformance to > the sender's policies...) See the text quoted above for the specific reference. In order to implement DMARC it's necessary for the component of a mail system that does SPF processing to have access to the 5322.From extracted from the body of the message (because of the SHOULD to skip SPF related policy decisions for domains that have a DMARC policy != none and 5322.From provides the domain needed to determine if a DMARC policy is relevant for the message). Requiring data from the message body to do operations on the envelope is not a good idea. > > While reading the envelope (HELO/5321.Mail From) I > > have to change processing based information in the body (5322.From). > > Many SPF implementations don't have access to the body making it > > difficult to implement correctly. > > If they are doing DMARC, they do have access. Eventually, but not necessarily when the SPF processing is done. I have currently deployed DMARC verification for testing (I'm adding the relevant authentication results header fields, but not enforcing reject policies). I'll use my current setup as a specific example of why following "SHOULD disregard any mail directive discovered as part of an authentication mechanism (e.g., ADSP, SPF)" adds substantial complexity to implementation and deployment due to the layering violation inherent in that requirement. For this deployment, the MTA is Postfix, the SPF verifier is pypolicyd-spf, the DKIM verifier is opendkim, and the DMARC verifier is opendmarc. Postfix has an "Access Policy Delegation" interface (http://www.postfix.org/SMTPD_POLICY_README.html) that is used by pypolicyd-spf to do SPF verification during the SMTP session. SPF 5321.Mail From and HELO results are determined and, if the mail is not rejected/deferred, an appropriate Received-SPF or Authentication-Results header field is added. This is done after mail from or rcpt to. After the body of the message is received (after data), it is passed via the milter interface to opendkim for DKIM verification (which adds an Authentication-Results header field for DKIM) and then to opendmarc which also adds an appropriate Authentication-Results header field (since I'm not enforcing DMARC policy yet, it always just adds the field). SPF checking via the "Access Policy Delegation" interface is the standard approach for Postfix deployments (in fact, the interface was specifically added to support SPF checking, although it is used for many other things as well). As is appropriate for an MTA, the policy interface operates on the envelope of the message and does not provide access to the body of the message, which typically has not been transmitted when it is invoked. The requirement to have access to the body of the message to do SPF checking in a DMARC environment is an architectural mess. > > Not only is the current design wrong, it's nor needed to solve the > > problem DMARC was meant to solve. > > Sounds like a protocol change. That's rather more than merely > improving the text. Yes, but not one that would require implementations to be changed to fix, which I think is the important point. I believe that SHOULD/MAY in "SHOULD disregard any mail directive discovered as part of an authentication mechanism (e.g., ADSP, SPF)" is probably sufficient, but since they can already do that, I don't know what the point of even having it in the spec is. > > Similarly, due to this override, a DMARC policy of none can't be used > > just to collect data as it will change mail processing as well. > > I don't understand. This particular aspect of the issue has been corrected in the current draft, sorry for dragging it in. > > The current design is wrong. The specific issues I'm concerned with > > now can be resolved without forcing existing implementers to change > > anything, so no investment is at risk. > > The idea that one can change a design, without having to change > code, is new to me. Please explain. If you change a SHOULD requirement to a MAY requirement then nothing forces existing implementations to change. The can, but they don't have to. > > Fundamentally, rubber stamping the work of a private design team is > > not the IETF way. > > What part of the work in the latest draft charter would produce > rubber stamping? > > But since you are being pedagogical about how the IETF does things, > please note that working group charters are supposed to specify the > nature of the work to be done. Working groups that start without a > sense of what problem they are trying to solve to tend to have poor > outcomes. If you can specify the nature of the technical, work to be > done, sufficiently to garner support for it, then it's certainly worth > considering. I'm aware of one technical issue that I believe to be significant that needs to be addressed and wasn't addressed by the private design group. Unless it's in scope for a working group to review the input of that work to the IETF, there is not likely to be the same level of review. Additionally, I think it is very odd to submit the base spec as an independent submission and then form a working group to extend it. As I understand it, part of a working group effort is to get consensus around technical efforts. I'm not sure how you get consensus to extend something for which there is no IETF consensus. I might even think that perhaps that the bit in RFC 4846 about the IESG review where it mentioned independent submissions shouldn't be an end run around the working group process might be relevant. It also seems to me that if the DMARC base spec seeks to modify processing for IETF RFCs, it's pretty much inherently a conflict of the type that IESG review of independent submissions is supposed to identify. I think that if DMARC were entirely laid on top of SPF/DKIM/ADSP and there was not also a parallel proposal for an IETF working group to extend DMARC, then independent submission would not be inappropriate, but I'd still prefer to see DMARC standardized through the IETF. I think that there will be a better product as a result (and I also think it's not at all difficult to craft charter language that will adequately address the equities of early adopters). Scott K
- Re: [apps-discuss] Revised DMARC working group ch… Dave Crocker
- [apps-discuss] Revised DMARC working group charte… Murray S. Kucherawy
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- Re: [apps-discuss] Revised DMARC working group ch… J. Trent Adams
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- Re: [apps-discuss] Revised DMARC working group ch… Dave Crocker
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- [apps-discuss] DMARC and the conflict of extensio… Paul Hoffman
- Re: [apps-discuss] Revised DMARC working group ch… Dave Crocker
- Re: [apps-discuss] DMARC and the conflict of exte… Dave Crocker
- Re: [apps-discuss] DMARC and the conflict of exte… Paul Hoffman
- Re: [apps-discuss] DMARC and the conflict of exte… Murray S. Kucherawy
- Re: [apps-discuss] DMARC and the conflict of exte… MH Michael Hammer (5304)
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- Re: [apps-discuss] Revised DMARC working group ch… Dave Crocker
- Re: [apps-discuss] Revised DMARC working group ch… Stephen Farrell
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- Re: [apps-discuss] Revised DMARC working group ch… Dave Crocker
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- Re: [apps-discuss] Revised DMARC working group ch… t.petch
- Re: [apps-discuss] Revised DMARC working group ch… Dave Crocker
- Re: [apps-discuss] Revised DMARC working group ch… J. Trent Adams
- Re: [apps-discuss] Revised DMARC working group ch… Dave Crocker
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- Re: [apps-discuss] Revised DMARC working group ch… Dave Crocker
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- Re: [apps-discuss] Revised DMARC working group ch… J. Trent Adams
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman
- Re: [apps-discuss] Revised DMARC working group ch… Dave Crocker
- Re: [apps-discuss] Revised DMARC working group ch… Scott Kitterman