IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

Dotzero <dotzero@gmail.com> Fri, 14 August 2020 01:43 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EDAC3A0BE3; Thu, 13 Aug 2020 18:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nK0GhK8Ae-8S; Thu, 13 Aug 2020 18:43:20 -0700 (PDT)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A03E3A0B55; Thu, 13 Aug 2020 18:43:20 -0700 (PDT)
Received: by mail-wr1-x430.google.com with SMTP id f12so6927772wru.13; Thu, 13 Aug 2020 18:43:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XyRv022z0qCcLLkQIrgBADXhNczb/GOHnurXC9EnZ8Y=; b=tsZM41pp8dLF0MlrfxSqUDbQ6a52SIbwgqD33IxYnrftaIOyXrYo7hcrKYeVEJPeiL /cT2Knp5dTbOk6c2AEb3kOMMpkblPSXpcKztcy1nEAqnp0OlA95PwmOkYK5hOGYDLGUI ndFd73+hQJQOP1SYXU8o1h3XiqPM0c/cfWhbmRRDBpr7ToMjM2tIUf6yyMTTykZLDNLo 4MUEA9HLld8OV0UcxDYC9wee33BwUQwGlYso1pOvW61RJDQn0TxRHWM+3xzmNvGT0g/B r+smFgpGRvgjgmJ5GzYyGH3+LLeh8lG6tFDXqwpOX4poKBQaX4gZjlJUIhkCST78eYz9 dDjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XyRv022z0qCcLLkQIrgBADXhNczb/GOHnurXC9EnZ8Y=; b=DMtgU3nFzTqRfl8x9FGGCaXIsv11DEJEJXA984BUhQk5cKH4nuyRUcYgzEUXjQXPjm 9JilrtEtWgOA/U08gB3qMtPZd7jYxhRN7gpEZ5aGIi+KqfmbgdXqxvW8kyMzl+Oy0mcI zYTMzDAiqtCM4f37eqlAi0eaSxFGWnDu+UhziRVs27a/c8vGuJctrYjXuiHmJjjHzBZo 59qc0AkovhgVcQ9VQnYy4Dla7YuIjRKqsRwanqeNsAKozu78ed/vaa83qox02FVkaOdg 0NkQvYcaumrHZbuwSj7K2DTu8eMty1v67o1y4CXRktwGMFcKs34f4stsbzSJc8fbBAkS 37TA==
X-Gm-Message-State: AOAM5311DUhH+gaChRm9ktJgwyLLM0aTjHV3eWM07tJESSh9sdr7c+et PmBMEuX0M52CEI9JHvlHVyU17ifIW36QSANho38=
X-Google-Smtp-Source: ABdhPJykHoVhKLTMQl88uzQbSJvRDODnPiMGqKGakQj6fK4Sq31JvSOugGft9wTn9TdtwKRS/iXRehw6+qs1j9fIoso=
X-Received: by 2002:adf:fd82:: with SMTP id d2mr437404wrr.72.1597369398765; Thu, 13 Aug 2020 18:43:18 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+H4D9+ELpsjxggEWwzg+WwUZs9mXzy8iNnLZCTfGORACA@mail.gmail.com> <CAL0qLwYo6vKHUkY_+aE0ipUpXGg=-=cG7wMzZM_jn1nUYDPiaw@mail.gmail.com>
In-Reply-To: <CAL0qLwYo6vKHUkY_+aE0ipUpXGg=-=cG7wMzZM_jn1nUYDPiaw@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Thu, 13 Aug 2020 21:43:08 -0400
Message-ID: <CAJ4XoYfpGMUmkDkQYN0qZeNFi_xZjfR=99yVu0dgLz-z19iwfA@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, IETF DMARC WG <dmarc@ietf.org>, dmarc-chairs@ietf.org
Content-Type: multipart/alternative; boundary="00000000000096adf005accc8bf8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/2RHHY3vznCwNNRmQLHoHAeoWobc>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 01:43:22 -0000

On Thu, Aug 13, 2020 at 8:23 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Mon, Aug 10, 2020 at 12:05 PM Tim Wicinski <tjw.ietf@gmail.com> wrote:
>
>> During IETF 108, the chairs realized that there was interest in Dave's
>> RFC5322.Sender draft.
>>
>> This starts a Call for Adoption for draft-crocker-dmarc-sender
>>
>> The draft is available here:
>> https://datatracker.ietf.org/doc/draft-crocker-dmarc-sender/
>>
>> Currently, the draft is marked as "Standards Track".  The chairs feel if
>> the
>> working group does adopt this, it should begin as "Experimental".  If we
>> start
>> to see adoption of this work, this can be changed back to "Standards
>> Track" before
>> Working Group Last Call.  Of course, we welcome input from the working
>> group on this.
>>
>> Please review this draft to see if you think it is suitable for adoption,
>> and
>> send any comments to the list, clearly stating your view.
>>
>> Please also indicate if you are willing to contribute text, review, etc.
>>
>> This call for adoption ends: 24 August 2020
>>
>
> DISCUSS.
>
> (just kidding; +1 for adoption)
>
> -MSK, participating, except for the joke part, that was with full authority
>
> "DISCUSS" shouldn't really be a joke. draft-crocker-dmarc-sender suffers
from a similar problem as PRA in the SenderId draft. There is no way to
validate that the specific intermediary is authorized by the (From) domain
originating the email through it's generic signalling that it
authorizes intermediaries. This means that any source can emit a message
claiming to be a legitimate intermediary just as any source could game PR
to gain a neutral result. This raises a significant question as to the
value of this proposed draft. It essentially reverts to depending on
reputation as to whether the intermediary's assertions (I'm really really
trustworthy) should be accepted. One could achieve similar outcomes using
only reputation and local policy override of DMARC policy.

The only way a scheme along the lines of the proposed one would be if the
specific intermediary were authorized either through a seperate DKIM
signing of a field (with the intermediary domain ) that would remaintact
even if the DKIM signing of the entire message were broken by the
(authorized) intermediary.

The proposed approach is easily abusable by individuals with malicious
intent.

Michael Hammer

v2.23.0 | Report a Bug | By Email