Re: [dmarc-ietf] Sibling Authentication
"Murray S. Kucherawy" <superuser@gmail.com> Thu, 01 June 2023 14:02 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 016B7C152F04 for <dmarc@ietfa.amsl.com>; Thu, 1 Jun 2023 07:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YnnyMVOcYW57 for <dmarc@ietfa.amsl.com>; Thu, 1 Jun 2023 07:02:24 -0700 (PDT)
Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 555D5C152F06 for <dmarc@ietf.org>; Thu, 1 Jun 2023 07:02:18 -0700 (PDT)
Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-510f866ce78so216367a12.1 for <dmarc@ietf.org>; Thu, 01 Jun 2023 07:02:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685628136; x=1688220136; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=egoT4iBUqPipKPXH0JS4BqxGpJznSIgRks3Ie1giFUw=; b=cg0PLsyasw/d/Zj6P4Mi2DwTBsVdbH6Q5FcA1XnfGJ+ISxQd7yq2Hupss0UNOIi4Yt kaGZYjsYlttikORfK58T2GF754OVG5fav6gpno+c85NWxEjifKH9nLcfiz6ADRXukdLQ F3Usr6bDQsM2gOEuA7wMK7q2n7cBUO3JGlWF9cCrK4HEJqPLCigKGKtnyf5nGavF45vC IW4mPlqNHkuE9TiEpe72w5DokGzEVFFh7OQtJl1H+c0c2aA4nDpce9Bv2BatYjl9sFUW erd/TuMkDwXkSU7Wi/+NUxED80FdTPG///Qc9+rqlFiyYvkXuOKuPSyGKc5UCKL6QJW3 Yh1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685628136; x=1688220136; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=egoT4iBUqPipKPXH0JS4BqxGpJznSIgRks3Ie1giFUw=; b=RE1VvTot6XdhMi31ZOoz7jORgcV+qGQx0fQjstj4vY+66p3xRS5R7s+6FHb8cLgGiu EuhXeN3Am1Nh/NmxGtfhENoHzocxG2kQgESCFMmphK9s926qNHlkfbi2fGUFotRyK+97 y6w9fGRTSUA+pO6AilTxYFpE4FrvdJNOXudolqtuuT9ZFinMcO2n5niA5jRtME+txIjc AnlvS3skiQYyXT/KvuOlDqwvuGww+HbUJbsloDdjQVWSgTGs/f1KIpzVLVMxXL9/6vkn 9fqwD+dEQZ7HXr8P+39S9CjOcnwxJ/cCWt0bj/HMzhrEnKlVXcIwRP59xXKXWJaPaF69 ZW2Q==
X-Gm-Message-State: AC+VfDxATviNe+IZwYGLBnV7IUROgnLmZwEfm1QZwy6lNMp1SNtynfSI 5RVwdS06rdu5HKXRYAnlgQwAtYurUuO4FcHK3S5q1BTc
X-Google-Smtp-Source: ACHHUZ5oC09C57W6bzItlK7Eoyhdjhk7oVmNcu5aTI+erNmGIXC0U6FHMWjWM/NiN28cHJV/3arx0v+3Kz2n9s8YLgs=
X-Received: by 2002:a05:6402:518f:b0:514:a59d:93c5 with SMTP id q15-20020a056402518f00b00514a59d93c5mr7919383edd.2.1685628136367; Thu, 01 Jun 2023 07:02:16 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfym2GqK4XWaavVykoqfiscZms9CBUzuY9cg=98WS4Aipg@mail.gmail.com>
In-Reply-To: <CAH48Zfym2GqK4XWaavVykoqfiscZms9CBUzuY9cg=98WS4Aipg@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 01 Jun 2023 07:02:03 -0700
Message-ID: <CAL0qLwauFLwWr0SMOLjZ-Ec6Svmw893qJr=y-4WxBFLFdmSKJA@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004aabdd05fd11e21d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/1q8OyhqoZ3K60SZeHobWAf0MJM8>
Subject: Re: [dmarc-ietf] Sibling Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2023 14:02:25 -0000
On Thu, Jun 1, 2023 at 4:03 AM Douglas Foster < dougfoster.emailstandards@gmail.com> wrote: > I cannot support the current draft because it creates new problems without > sufficiently solving the old ones. > > The PSL is subject to two types of errors: > - Landing too high, causing False Pass on non-affiliated domains > - Landing too low, causing False Fail or False NoPolicy on domains that > are actually affiliated. > False Pass presents the greater threat. While it could occur on any type > of non-strict alignment, the primary concern is False Pass on sibling > alignment. > [...] > Can you please define, or give an example of, "sibling alignment"? My understanding of "sibling" in a tree structure is two or more nodes at the same level with a common parent. In that sense, twitter.com and facebook.com are siblings. In the DMARC environment, how could one align with the other? Or is your claim that they could align if, say, ".com" chose to assert policy about them and they omit to assert their own? The bottom-up-first-stop tree walk attempts to solve the problem of False > Pass by using an algorithm that will often land too low, causing False Fail. > Can you give an example of this? > Nonetheless, it fails to solve the whole problem because evaluators are > still at risk from private registries that publish a DMARC policy with > strict alignment but without a PSD tag. The proposed tree walk has other > problems, because it changes an organization's relaxed alignment boundary > every time that a policy is added or removed. > And this? > As long as the parent-child and child-parent forms of relaxed alignment > are permitted, we need an explicit tagging mechanism which gives the domain > owner full control over alignment boundaries and eliminates uncertainty > about the domain owner's intent. Parent-child and child-parent > authentication will be important for as long as SPF-alignment is > necessary. For DKIM signatures, I am not convinced that relaxed alignment > should be necessary even though it has some current use because it is > allowed. > An example here would really help. -MSK, participating
- [dmarc-ietf] Sibling Authentication Douglas Foster
- Re: [dmarc-ietf] Sibling Authentication Murray S. Kucherawy
- Re: [dmarc-ietf] Sibling Authentication Barry Leiba
- Re: [dmarc-ietf] Sibling Authentication Douglas Foster