IETF Logo Mail Archive

Re: [dmarc-ietf] third party authorization, not, was non-mailing list

Dotzero <dotzero@gmail.com> Tue, 25 August 2020 20:30 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B37243A0B93 for <dmarc@ietfa.amsl.com>; Tue, 25 Aug 2020 13:30:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5wx6s2WCyPm for <dmarc@ietfa.amsl.com>; Tue, 25 Aug 2020 13:30:04 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A8023A0B92 for <dmarc@ietf.org>; Tue, 25 Aug 2020 13:30:04 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id p36so6697422qtd.12 for <dmarc@ietf.org>; Tue, 25 Aug 2020 13:30:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OxUozbb4rtpRMVDEgxNSku3QbLeaotK6cdeaYuRB9hM=; b=SRJZqje2W6Uxt0NTdxEXw4XQmIj15rub0NH1s6fyNzfnFcL/7jlrZdSl32C4AVl9n+ 8O8QAHF1oFTyiVABbj2QAmiaKzjkREWgqiv6tYWgPBoWTLjKmXtrli+WJcNVICEepGs1 asXaBNQKTbZR8gti/hseYF43QTN4Rjq+joK8mTNA0fQD4iU5QiGweH1nkgmk71ghdoay 8kJEqd2S1URv8zYuVU4vteO+GccpHcQtZiG0u6ycL74XuQsTJHJnSrTaQIvA+SG1PCd1 496ElishWxqTnff9jhbkQQzJp8l3TdexiwdtjW+O/NlfxtVzibuyHx41zeg7jDqLvrSF VIPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OxUozbb4rtpRMVDEgxNSku3QbLeaotK6cdeaYuRB9hM=; b=EsuIxsTmqK58wR31eLSZHqOq4RM0nsn0Emk5WCUiWcNiUFBwMNZt+UJC4Q4ujVy4ri MTYmhg0uuNAd7GrttGGiUvSdyty3ZjG6Be227k+tiJ1FLuJU+PM3JV2VqQFnLD08qtwN 5YTxfaDxCu/Lfl7GP5vL8QabY18r1cLHBTeCARya9iHTrgBkCDnCKO2FtawdU23yQ+lb gA7yrN5YB0lfH/aeXnhw4XyRRT9IO17n7Ib2n7qIkMnxFtinUn6jq/FpOl7SwWGv37la Zm3c03mi3MwWsgCm67jT0rH285C9HZ1AwLOHXupaWa+YfXNkrBBDLIo6/u2Rs4Q/h7qy JPng==
X-Gm-Message-State: AOAM530SoVa4eWj8y66Vv6Y+CMHqjOhUnngzIe5XD1WMEQQ/rOr2lwnF sgEybbdGFbC54rXgU/wQQMjwAG2sDerzsq0LYnEdKXRDa+Q=
X-Google-Smtp-Source: ABdhPJySv9vpejwBfAXD5ZZNZgtcj55OsdOIjXlPgPMCvGGNNd3pJgIobfzxGIkt3gXhY9h1YQOw95JsDidxWqqKjkQ=
X-Received: by 2002:ac8:660f:: with SMTP id c15mr11297165qtp.34.1598387402985; Tue, 25 Aug 2020 13:30:02 -0700 (PDT)
MIME-Version: 1.0
References: <20200824172403.A927C1F14BF5@ary.qy> <5fe7d5c2-7330-c9fb-2856-e7dfc2175c82@tana.it> <CAJ4XoYc1vutV61E-66DHWcdOxHmCUWiC0HC0AmiRYUcMxLgcCQ@mail.gmail.com> <1fe7a47f-4ebc-7621-2c1-e4803473e8d7@taugh.com> <CAJ4XoYf3_y4tb5JYm5fGndqxKN+070LvZ6i5kjHKqH0NnbHnhg@mail.gmail.com> <13aa3f6f-df8-4ea-c075-9a1e885b28da@taugh.com>
In-Reply-To: <13aa3f6f-df8-4ea-c075-9a1e885b28da@taugh.com>
From: Dotzero <dotzero@gmail.com>
Date: Tue, 25 Aug 2020 16:29:51 -0400
Message-ID: <CAJ4XoYdqxEFE=g4RxXKh81iH+iq86aXqCB-jUshi+EH5k+t0Xw@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005e57b605adb99134"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/-5VhCv8hmFs_fnj_AubgC1oWUIg>
Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2020 20:30:06 -0000

On Tue, Aug 25, 2020 at 2:13 PM John R Levine <johnl@taugh.com> wrote:

> On Tue, 25 Aug 2020, Dotzero wrote:
> >>> I would expect there to be multiple potential approaches to identifying
> >>> acceptable intermediaries.
> >>
> >> The harder part is to decide which intermediary gets to re-sign which
> >> message at the time you apply the weak signature.
> >
> > It would have be the domain in the "To" field.  It wouldn't work with
> > random unknown intermediaries. It would address the MLM issue as long as
> > the MLM domain is the same as the "To" domain when the message was
> > originally sent. It could also presumably work for vanity domains if they
> > DKIM sign. It wouldn't work for forwards on the receiver side that the
> > sender is unaware of.
>
> If the list is somelist@lists.foo.org, does the signature have to be
> d=lists.foo.org?  How about d=foo.org?
>

This is something that would have to be thought through and discussed. I
want to lean towards exact match but I could be convinced that the base
organization signature would be acceptable as a starting point. I would
recommend anyone coding this for signing to use a flag to easily switch
between the two. I'd recommend that any intermediary doing signing consider
using the CNAME approach so that all their lists can easily be signed with
an exact match signature. This is one of the areas where implementation and
operational considerations may differ from standards considerations.

>
> On the flip side, do you put a weak signature on all of your outgoing
> mail, which seems like a bad idea, or just mail that you expect to go
> through list modification?  In the latter case, how do you tell?  These
> are the scaling problems that I fear make this unworkable.
>

I think only putting the weak signature on mail you expect to be modified
would be the way to go. As I indicated in my previous post, there are
multiple ways to address identifying which mail is likely to go through an
intermediary.  Large mail providers/data gatherers probably already have an
awareness in this space. Others could probably create lists which could be
checked realtime or updated/downloaded once or twice a day. Organizations
could also enable self registration of intermediary use by their users. It
might also be a combination of these approaches. I don't see this as an
issue that makes scaling unworkable. There are plenty of folks checking for
blocklists, how does this differ significantly either operationally or in
scale?

Michael Hammer

v2.23.0 | Report a Bug | By Email