IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Brandon Long <blong@google.com> Fri, 03 August 2018 17:24 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9FB131070 for <dmarc@ietfa.amsl.com>; Fri, 3 Aug 2018 10:24:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wv-n6hKAZrxY for <dmarc@ietfa.amsl.com>; Fri, 3 Aug 2018 10:24:35 -0700 (PDT)
Received: from mail-yw1-xc32.google.com (mail-yw1-xc32.google.com [IPv6:2607:f8b0:4864:20::c32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8CD113106B for <dmarc@ietf.org>; Fri, 3 Aug 2018 10:24:34 -0700 (PDT)
Received: by mail-yw1-xc32.google.com with SMTP id l189-v6so1240102ywb.10 for <dmarc@ietf.org>; Fri, 03 Aug 2018 10:24:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pOzJw23Qc9QXlKJM2mbTeLmN2CGKTOwm7wvDXzL1/ck=; b=rEQ983nNayfbedf0FNG3kWliBcViXXBxgLbohRECGnsuH/Tqq8PmHE1P9r/SXa0iyD yAXm2Q00AzeM2M3U3y83qBT1zdezIXgbU7DeGlSN+1irzvsR/CCeS86N0C7hjYSaTqUD XGHwHKDQ8M0o/PwuGhanfR/dc64EkQtG/HSTOUjVjtESuTMR/y1wxBw+BFvZGJMUkT6u 48OwYBVT/rLzc16+/mVmBqAnP5Zz525NKPxLwCP/Mp+yoCYpDqJYonuGnnr3XB7lZlat fZlfQIPRVzpjegtK2bkqGo+6nCocf5FpZZMeXm22o0MgNqHjEIAJBhzVcLPasn1tAjqh +RFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pOzJw23Qc9QXlKJM2mbTeLmN2CGKTOwm7wvDXzL1/ck=; b=qrCrC+sIJm3ENAIKKeHp+WNr7xnIhNTJ6jk/ZBad3WmQvKOQjv5zGQGiKBYrk+tgmF Of9xmPbYL7XAeRC1D5/QAhA57AZjpozg6vQTkSJ7hcd0UYAjB6gRHkSJUwD1tVPB5R32 Qbpi8ZuJ3+fczSguoXtQ8LIr6GZM6QC4cMrzE3mal8FHztXTOsNfwwGCMQ/JRdcg1y8I r6/nesxrHLHvxLxvL2q3hwJiDsAbuw38ejkBBeFk5XLMcDVZgZmppB9/ZFEN+GPb8nPA 8AiEhimB/G5PpvtjO2Rl9H1SMd1Qidv/Cvzgh6Ql+x0xfcilp6TJLogxNuFYPvJQfqxD 3Yeg==
X-Gm-Message-State: AOUpUlFx+VlU0NphxG2L7tGS9p3iTYMgHhO80H9FqERGAEqnHh24gR3C UjR+QtfsKnUOKy3YxTfJW/WswVuGbYsKhAf0epFTO9c=
X-Google-Smtp-Source: AAOMgpdQOV4VN4mDGV8fsVOhotN9f43IzZle1F8ocSPDIUDfEU8eLR7TDs2bo/EWSljcg1dmWBUP4S7DDkFmNw1odz8=
X-Received: by 2002:a0d:e501:: with SMTP id o1-v6mr2615168ywe.409.1533317073506; Fri, 03 Aug 2018 10:24:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAD2i3WNSe+of7U8fdTnmUeU3sthUbpEVgdYHT9J6BgLxoeOL3w@mail.gmail.com> <20180730221726.713CE200316625@ary.qy> <CAD2i3WMvCugRm4KZeLx3PFb6f_pKR3rs4mnH2FZO4_X7ZA7GHA@mail.gmail.com> <alpine.OSX.2.21.1807302025420.60501@ary.qy>
In-Reply-To: <alpine.OSX.2.21.1807302025420.60501@ary.qy>
From: Brandon Long <blong@google.com>
Date: Fri, 03 Aug 2018 10:24:21 -0700
Message-ID: <CABa8R6sWSu9Q+mozxzaVGab3PE2zxqVmt4L6FERSLC1oDTh1oA@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: Seth Blank <seth@sethblank.com>, dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007f20b105728b33ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/1LUmj0yXW29uYZhNxpHJmO6Dznk>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 17:24:37 -0000

I know I lost the argument on cv (I think cv is entirely superfluous and
there's no point adding/signing a cv=fail header), but it seems the
argument for that is more data.  That said, this "either or" signing set
thing on cv=fail seems pretty cumbersome.

Brandon

On Mon, Jul 30, 2018 at 5:42 PM John R Levine <johnl@taugh.com> wrote:

> > The working group considered cv=invalid last year, but there was strong
> > consensus was against it. The guidance for Sealing cv=invalid Chains
> > somehow made it into this draft applied to all cv=fail Chains. All Chains
> > should be Sealed in the same fashion (your AS covers the ARC Set you've
> > added and all previous ARC Sets), unless the Chain is invalid in which
> case
> > you only Seal your own ARC Set.
>
> Ah.  Perhaps reword 5.1.1 like this:
>
> The signature of an AS header field signs a specific canonicalized
> form of the ARC Set header values, when all of the previous ARC sets
> are valid. In that case, the ARC set header values are supplied to the
> hash function in increasing instance order, starting at 1, and include
> the ARC Set being added at the time of Sealing the message.  If any of
> the existing sets are invalid, the AS header field only signs its own
> ARC Set.
>
> Within an ARC Set, header fields are supplied to the hash function in the
> following order:
>
> 1. ARC-Authentication-Results
> 2. ARC-Message-Signature
> 3. ARC-Seal
>
> The ARC-Seal is generated in a manner similar to when DKIM-Signatures
> are added to messages ([RFC6376], section 3.7).
>
>
> In 5.1.2:
>
> In the case of a failed Authenticated Received Chain, the header
> fields included in the signature scope of the AS header field b= value
> MUST only include the ARC Set headers in the newly created set, as if
> this newest ARC Set was the only set present.
>
>
> In 5.2, oldest pass is confusing, since it doesn't tell you whether
> the validation succeeds or not.  I would take out steps 5-7 and add
> something to the INFORMATIONAL at the end like "A validator can check
> the AMS headers to estimate when in a chain of forwards the message
> was modified."
>
>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email