Re: [dmarc-ietf] Eric Rescorla's No Objection on draft-ietf-dmarc-arc-protocol-21: (with COMMENT)
Eric Rescorla <ekr@rtfm.com> Wed, 21 November 2018 16:11 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 851B2130DF1 for <dmarc@ietfa.amsl.com>; Wed, 21 Nov 2018 08:11:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.458
X-Spam-Level:
X-Spam-Status: No, score=-1.458 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxxokGMzbCmI for <dmarc@ietfa.amsl.com>; Wed, 21 Nov 2018 08:11:16 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE6E0130DEE for <dmarc@ietf.org>; Wed, 21 Nov 2018 08:11:15 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id b20so4361130lfa.12 for <dmarc@ietf.org>; Wed, 21 Nov 2018 08:11:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DX+x41xKWkxZLbozJa7rHJqUxV4jdt4i5ubVF1Fu4jA=; b=wGmjZ3jKedTADr/oJSBMhHchaNUxvgBmXOu2DLzM5LqoTAffQg5jP9bXOmjQX9izmu 9OYaYkCi/pB17dTaSYZHc6ap4i5LCDHCqre/9lV/JZ9HJVpoA0dRsY8L/QkD3LUnSvfQ fRxCAdAJVc0NOnaMpKF3jd3sIgGV8hrZQzuIC0EpDfuHFfKxogEviohmFK/LZAL3Xo79 9UKBMprCg5v22+64K4Ws25Kew0ianh+OUgUU1hFx1jl5799bX7qTi/JXr0wtNH0RR/8v zXGsHwXkizmUdPOAfm6sSCszrtIxf6wlEOti8Cc9FrjlhslU/3SKWe+IjkaZTOmX7CdA gYqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DX+x41xKWkxZLbozJa7rHJqUxV4jdt4i5ubVF1Fu4jA=; b=JRA9cdYJpsYi4vORWEgZ7eO71T6/dxXxY9WJHH7JMiuCEpTCbxC6vBZYexaXqp+1AQ HLf64pJlcNE8Alj8zEiflygd6cpSMOwCuyX2aHHn7U0YARwQIkA4bNVDd7yiaD1MZNpE OazHEC89w6c8ggB6G+e9myo6H8Ujrzs/T6AkXXjBJUFzydGmPnkw3cbdHZnkdWttxtuF V+LkZkZKdX8hzgGX2ZcKcjVSUg8qnGc0SlyRpxmtXZr89dEcJgajv459eDgAwlwLsQL1 OLwYN6zm16rkOj9XeuzjeezJoy6cnMwcN0WYgsilTK5B+niKsmZdoznQmVvF7dhaT8oT bn3g==
X-Gm-Message-State: AGRZ1gLZ/wFCUG8qgzG/xaNoW9hvjYrdP6Jto6RqVBdRdykDKfzZIkDB 71g6kYyOHHqbPGcI+wWBLwC7aWw9qNW0bJr27+RfPg==
X-Google-Smtp-Source: AJdET5fXJyoMib9mqR7/nUxW0SX1S11uUvRGDA0uHRfiSKTkYr/v4AldWySIBJtjfZz4Li1SwHRXTwEL5MMT6ZdFPJo=
X-Received: by 2002:a19:41c4:: with SMTP id o187mr4393644lfa.32.1542816673907; Wed, 21 Nov 2018 08:11:13 -0800 (PST)
MIME-Version: 1.0
References: <154280980293.11332.11492838987199614779.idtracker@ietfa.amsl.com> <CABuGu1oC83vHCqm=D+gXb+1VHj5oP5_-GsfP3wF72bex2pb9Jg@mail.gmail.com>
In-Reply-To: <CABuGu1oC83vHCqm=D+gXb+1VHj5oP5_-GsfP3wF72bex2pb9Jg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 21 Nov 2018 08:10:37 -0800
Message-ID: <CABcZeBM7Zjcw9pEH_L9-Mee_Zpo5wBjtUJ8P-ZFTnQfSX180Hg@mail.gmail.com>
To: kurta@drkurt.com
Cc: IESG <iesg@ietf.org>, Barry Leiba <barryleiba@computer.org>, draft-ietf-dmarc-arc-protocol@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>, dmarc@ietf.org, dmarc-chairs@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cd5c39057b2effdd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/0I17QXf76ZR0l5eZB0wJY11ikgo>
Subject: Re: [dmarc-ietf] Eric Rescorla's No Objection on draft-ietf-dmarc-arc-protocol-21: (with COMMENT)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Nov 2018 16:11:19 -0000
On Wed, Nov 21, 2018 at 8:04 AM Kurt Andersen <kurta@drkurt.com> wrote: > On Wed, Nov 21, 2018 at 6:16 AM Eric Rescorla <ekr@rtfm.com> wrote: > >> Eric Rescorla has entered the following ballot position for >> draft-ietf-dmarc-arc-protocol-21: No Objection >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Rich version of this review at: >> https://mozphab-ietf.devsvcdev.mozaws.net/D3829 >> >> >> These would be DISCUSS-worthy comments but this is an Experimental >> document so I am just making them comments. >> >> IMPORTANT >> S 9. >> > handlers for a message. This record may include Personally >> > Identifiable Information such as IP address(es) and domain names. >> > Such information is also included in existing non-ARC related >> header >> > fields such as the "Received" header fields. >> > >> > 9. Security Considerations >> >> You need to document what the semantics of a received message with an >> ARC Chain is. As I understand it, it's that the highest-numbered >> instance N vouches that: >> It processed a message with this body, a given authres, and ARC chains >> 1..N-1. And then instance N-1 vouches that it received a message with >> a given authres, and ARC chains 1..N-2, and so on. Is that correct? >> > > Yes, that is correct, as long as you meant authres-payload. This was > stated earlier in the document, does it need to be repeated in section 9? > Where is it stated? > COMMENTS >> S 4.1.3. >> > >> > To preserve the ability to verify the integrity of a message, the >> > signature of the AMS header field SHOULD include any DKIM-Signature >> > header fields already present in the message. >> > >> > 4.1.3. ARC-Seal (AS) >> >> It would be useful to state the rationale here for why you have >> separate signatures for headers and body. >> > > They are not separate signatures for header and body. They are separate > signatures for ARC chain as an entity vs. the normal DKIM signing scope of > headers (excluding ARC) & body. > OK, so that would be useful to state. > S 7.2. >> > Through the collection of ARC-related data, an ADMD can identify >> > handling paths that have broken authentication. >> > >> > An Authenticated Received Chain allows an Internet Mail Handler to >> > potentially base decisions of message disposition on authentication >> > assessments provided by different ADMDs. >> >> "potentially base" seems pretty handwavy. As below, I think you need >> to provide some guidance about what on would actually do. >> > > Receivers are always free to do whatever they choose, including, > That's theoretically true in all protocols and yet we routinely tell people how they need to behave to be conformant. My problem here is that this document needs to provide sufficient information to the reader to understand how to interpret the ARC data and see what to do about that. -Ekr in many cases, completely ignoring information that is made available. We > are writing a separate document within the DMARC WG to cover usage > recommendations pertaining to ARC. > > > --Kurt Andersen >
- [dmarc-ietf] Eric Rescorla's No Objection on draf… Eric Rescorla
- Re: [dmarc-ietf] Eric Rescorla's No Objection on … Kurt Andersen
- Re: [dmarc-ietf] Eric Rescorla's No Objection on … Eric Rescorla