Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Dave Crocker <dcrocker@gmail.com> Sat, 12 August 2017 00:04 UTC

To: Bron Gondwana <brong@fastmailteam.com>, dmarc@ietf.org
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com>
From: Dave Crocker <dcrocker@gmail.com>
Message-ID: <166070f0-4ba1-70da-1f73-885b4a7f7640@gmail.com>
Date: Fri, 11 Aug 2017 17:04:45 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/0tZofKIiSYzUJb5RCtpW5Nr1tdo>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Precedence: list

On 8/11/2017 4:54 PM, Bron Gondwana wrote:
> On Sat, 12 Aug 2017, at 03:22, Dave Crocker wrote:
> 
> I'm just picking out the key quote here:
> 
>> On 8/7/2017 4:22 PM, Seth Blank wrote:
>>
>>     When validating an ARC signed message, one verifies the latest AMS
>>     (which must validate), and *the entire chain* of ARC Seals, not only
>>     the latest. This guarantees you a list of all message signatories -
>>     the chain of custody we're talking about.
> 
> Yes, I follow this bit, but then...
> 
>>     When evaluating the chain for final receipt, there are two states to
>>     worry about as a matter of local policy: 1) you trust all the
>>     signatories on the chain 2) there is an untrusted signatory on the
>>     chain
> 
> Which is why it's a bad idea to sign if you're not modifying, because 
> then everybody has to trust you or their chain breaks, even though you 
> didn't do anything which required signing.

I don't have an opinion about whether this conclusion is correct, but 
I'm quite certain it a type of consideration that needs to be 
fundamental, to recommendations about usage.  Who should do what, and 
why?  What are the upsides of their doing or not?  Downsides?



>>     Without the ARC Seal this determination is not possible and there is
>>     no way to evaluate the ARC chain for delivery as a final receiver.
> 
> And this is the crux of our disagreement.  Seth thinks it's necessary to 
> do more than signing a statement that you believed the message was 
> authenticated when you got it, in a way that the next hop can verify 
> your signature over your own Authentication Results plus the content of 
> the message.  I disagree.
> 
> I'm proposing exactly the same stragety DKIM uses, just with series of 
> signed "chain of custody" statements rather than the DKIM signature 
> having to align with the sender domain.

by 'strategy DKIM uses' what do you mean exactly?  I'm guessing you mean 
having the signature cover more of the header and all of the body, but 
please confirm or clarify.

d/
-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

[dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos