[dmarc-ietf] About UAID User Agent Identity.
Hector Santos <hsantos@isdg.net> Thu, 20 April 2023 16:59 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F07D0C15153D for <dmarc@ietfa.amsl.com>; Thu, 20 Apr 2023 09:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, STOX_BOUND_090909_B=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fB8MrSkKXElF for <dmarc@ietfa.amsl.com>; Thu, 20 Apr 2023 09:59:03 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FA64C14CEFD for <dmarc@ietf.org>; Thu, 20 Apr 2023 09:59:02 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=18319; t=1682009939; atps=ietf.org; atpsh=sha1; h=Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=wrjfjpRLgiYbO7+uWQoiXdDGl5Mm1UHaooDHp1R4ty4=; b=Yxfx leDtTvcUrk+NAMELM2oZBwhvtkJAEuOY2xEZyvzst2OqckoVkPxY2ZRCsvxJbim+ YgnCEx+jiBEXVUk6BsY+CzlCjgWyvzgxq8od5AZwWyY6ghChGkAU4w1ATy/DIVBb HSc3m4Mk1VcbR5Y2R4mnzj6oom35nDD4tMyp2X0=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Thu, 20 Apr 2023 12:58:59 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 2402727848.1.9060; Thu, 20 Apr 2023 12:58:59 -0400
Message-ID: <64416F58.5030405@isdg.net>
Date: Thu, 20 Apr 2023 12:59:04 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <20230419132048.50E0CC01C901@ary.qy> <CF4A2AA2-7EAC-4525-844F-530A12DEC065@wordtothewise.com> <0abf9711-ca1c-bfcf-afb2-15e16b9de149@tana.it> <f99522bf-3802-4a9d-b098-683be77de67c@app.fastmail.com> <CAH48ZfzMDLrz+nR-XaNpq+3xdvTg8FA+aF8iN-tFTE5UqvG_Pw@mail.gmail.com>
In-Reply-To: <CAH48ZfzMDLrz+nR-XaNpq+3xdvTg8FA+aF8iN-tFTE5UqvG_Pw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------010700020605040507060707"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/0YYF05O9rMVF6YsrGFqOuAIJSNo>
Subject: [dmarc-ietf] About UAID User Agent Identity.
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2023 16:59:08 -0000
On 4/20/2023 6:34 AM, Douglas Foster wrote: > If a vendor wants to serve a customer, he needs to provide a product > that the customer can use. I don't see that it is IETFs problem to > worry about a vendor with an inadequate email platform, especially > since DMARC has been around awhile. > > But I have been thinking further about the constrained > delegation issue. The general goal, at least for a single mailing is: > User2@Domain2 needs to be authorized to email for User1@Domain1. > > DKIM authorizes anyone with the private key to email for > anyuser@Domain1. The domain owner has to worry about multiple things: > > * Unauthorized Use For: Will domain2 will use the key for any > messages other then User1@Domain1? > * Unauthorized Use By: Will Others@Domain2 use the key for > User2@Domain2? > * Theft: Will be stolen and used by HostileUser@HostileDomain. > > Adjusting delegation: > > * Hector's ATSP proposal limits the delegation to Domain2. > @HostileDomain cannot steal the delegation, because the > delegation only works if a domain is authenticated by @domain1 > and has signed the message. For a high-sensitivity domain > like @WhiteHouse.Gov, they may want to require both: @Domain2 > must have a DKIM private key for @Domain1 AND @Domain2 must have > an ATSP delegation from @Domin1. > > * DKIMs "I=" clause can be used to limit the "Use For". A > signature configured with "d=domain1; i=user1@domain1" should > only authenticate messages with "From: user1@domain1". This is > an upward-compatible change in the way DMARC interprets DKIM, > not a layer violation of DKIM. This could be used two ways: > (a) possession of the private key permits use to send on behalf > of "user1@domain1", and (b) ATSP could provide user-level > delegation to only messages counter-signed by user2@domain2. > > * Subdomains can be used to limit scope: Issuing a key for > @subdomain1.domain1 is more limited risk than issuing a key for > @domain1. > * Subdomains with p=none can be used to allow a subset of messages > to be sent unauthenticated. In some cases, > allowing @subdomain.domain1 to operate unauthenticated may be > perceived as lower risk than issuing a DKIM private key. > > > The UseF > > > On Wed, Apr 19, 2023 at 10:30 PM Jesse Thompson <zjt@fastmail.com > <mailto:zjt@fastmail.com>> wrote: > > On Wed, Apr 19, 2023, at 12:35 PM, Alessandro Vesely wrote: >> On Wed 19/Apr/2023 15:37:25 +0200 Laura Atkins wrote: >> > To me it’s not so much the company can’t delegate authentication - it’s how >> > many SaaS providers (some of which are ESPs and some of which are 3rd parties >> > that send through ESPs) are incapable of supporting DMARC alignment. Not it’s >> > hard, not it’s challenging, but simply … can’t. They cannot sign with foreign >> > DKIM domains, and they cannot support different domains for SPF authentication. >> > >> > Should DMARCbis make the recommendation that if you are providing mail services >> > that you SHOULD be able to support corporate customers using DMARC? >> >> >> IMHO at least an appendix should say that if you can't do >> anything better you >> have to rewrite From: with examples of legitimate >> display-phrase, expanding a >> bit the first bullet in Section 11.4. That can also be a good >> place to explain >> the kind of damage DMARC causes. > > That's what I'm getting at. I don't really see any difference > between a mailing list and someone providing mail services (I > won't use the word ESP since that seems to be a loaded term) for > corporate customers (I would also add government customers, who > are adhering to BOD 18-01 in droves and they are also adopting > said companies providing mail services) > > The choice for both the mailing list and mail-service company is to: > > 1) ignore DMARC and continue to emit mail as the original author > intended (the author might be ignorant of DMARC too) and assume > the mailbox providers are smart enough to understand that, like > mailing lists, mail-service companies and their mail emitting > authors shouldn't be caught up by a DMARC misdeployment by the > domain owner > > 2) be cognisant of DMARC's effects, and in the interest of > keeping the author's mail flowing, use a different domain and > put the author's address in the friendly from or similar, or > just refuse to accept the messages, until delegation can be set up. > > I can say, anecdotally, that people really really want #1 to be > true, but they eventually learn #2 leads to a better long term > outcome. I'd like that "learning" to be less painful by having > something unambiguous to point at in DMARCbis. > > Jesse > > The only technical requirement for the "i=" tag is for the User Agent Identity (UAID) to equal the ADID (Author Domain) (don't recall without looking at code). The assessment equation extractable by reading DKIM-BASE is: Assessment = ASSESSOR(SDID, UAID="") where the UAID is optional. I argued during the drafting of DKIM-BASE to add back ADID by passing the ADID with SDID which is how the original DKIM modeled it: Assessment = ASSESSOR(ADID, SDID, UAID="") Unfortunately, I was the only DKIM Policy advocate objecting to DKIM-BASE trying to, as its abstract says: DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer's domain directly to retrieve the appropriate public key. So not even this backward compatible assessment was acceptable to have in the DKIM-BASE standard. Assessment = ASSESSOR(SDID, UAID="", ADID="") For many here, the reputation of the signer trumps everything. I don't think the DKIM Policy advocates ever disputed the need for reputation but as a final layer, not the first layer. This is why we have had 17 years of a DKIM Policy vs DKIM Reputation modeling conflicts in the DKIM-related working groups. Just keep in mind we have no public domain, not proposed method to do a SDID only assessment. But we certainly do have a several ADID::SDID assessment proposals! We can't totally separate the ADID from the any SDID assessment. The Author ADID, From: header, is the only required header to be hashed bound to DKIM-Signature. It is impossible to be separated from consideration, and the irony is, if the assessment of the signer is negative, it is the Author address, its MTA, its delivery agent (return-path) who gets hurt. ADID can not be separated. It is a complex situation when you are dealing with unsolicited mail when ADID does not equal SDID. This is why DMARC can only focus with a ADID=SDID policy. Now throw in the UAID and we have additional, complex, extended policies to deal with. We don't know how to use it, optimally, especially for a mailing list where thousands of emails need to be signed. Do you sign 1 list distribution for all or do you sign each list outbound message? Those are big scaling optimization considerations. For the most exclusive policy, via DMARC: p=reject; adkim=s; aspf=s everything must match. for: p=reject; adkim=r; aspf=r A little more relaxed for subdomains. I think what is there is enough for this limited policy which does not care for users using the domain outside the main stream. -- Hector Santos, https://santronics.com https://winserver.com
- [dmarc-ietf] Is From spoofing an interoperability… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Dotzero
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Douglas Foster
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Dotzero
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Jesse Thompson
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Jesse Thompson
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Douglas Foster
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Dotzero
- [dmarc-ietf] About UAID User Agent Identity. Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- [dmarc-ietf] Two basic Issues to address to help … Hector Santos
- Re: [dmarc-ietf] Two basic Issues to address to h… Dotzero
- Re: [dmarc-ietf] Two basic Issues to address to h… Hector Santos
- Re: [dmarc-ietf] Two basic Issues to address to h… Alessandro Vesely
- Re: [dmarc-ietf] Two basic Issues to address to h… Hector Santos