Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Bron Gondwana <brong@fastmailteam.com> Thu, 17 August 2017 22:46 UTC
Return-Path: <brong@fastmailteam.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9530E1323AA for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 15:46:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=F7SpRLsj; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=r0T++TDA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zs2OlVTIPnMo for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 15:46:07 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7872132649 for <dmarc@ietf.org>; Thu, 17 Aug 2017 15:46:07 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 1299D21002 for <dmarc@ietf.org>; Thu, 17 Aug 2017 18:46:07 -0400 (EDT)
Received: from web6 ([10.202.2.216]) by compute6.internal (MEProxy); Thu, 17 Aug 2017 18:46:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=content-transfer-encoding:content-type:date :from:in-reply-to:message-id:mime-version:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=ZPK+jeIA9z5Rarft9 I1ftbHz+QbB0+7fygXGnjoe1ZI=; b=F7SpRLsjtW2K6CiDbkguToCAf3sH3ZuBh lRlg3cb/TwxhlN2WRra+MjfZCyr6agmhf8qdbkLxn1AFgGyJDB9fA6bTg7jysWsE ID1tx/qS62IZ5OjNFjnPatfDd+OHKuVgviCOjJS4UlUKhQihMneeGAOClvQL9d2G ctB7kkowaDyRDFHo7ayKgKKQk0q8HQs+yDAT1jVv/vd+584bpLmDAMdziQL/15ys MjojrcE71XcQOhd9QFwHnB96Q1Jl5rVAj4JMdURW9aoSf6BTBMyDzLXxKAluH1RR J9f7CxiOYX7nqy8kF8UBOvTJZhKNxAyvSZxM837ho6F8uLn1nUT0g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=ZPK+je IA9z5Rarft9I1ftbHz+QbB0+7fygXGnjoe1ZI=; b=r0T++TDAjP2rcZXbSupZZ3 c3wB3bvHZRIEqYVs1OVJky+DNRNwk47WsBIKX7wPHLHKY/ygptC18y5RzECABOiZ A8pqhI4WmXykzFCcwgHcFH4TKIcq7MvrpcLKgdusWwIHliOUDtqW0+4zkLRmUG1F UrixQAzTWoBHT3NMyy9UZVIUcYXTLf2RuOJaWf+lpm4l6ibeNmoVB1FlUB4iiMMf gYHqJ690p+u3E9vhn2BsmtyE0Psit3lFgZ9TqN4PSdZQDaR1LS4YU31z71AV5D85 lRnr6fJrUHlFwlRjrUxANsqezP2FF2IPJQRFpHND8ihm4r7rFImTQxu4hkca1IbA ==
X-ME-Sender: <xms:rhyWWdTfBplftEnrVC1d1IRxuYIJHybVUCOfFnuox0oCoj-l7zvH0A>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id D6EA548001; Thu, 17 Aug 2017 18:46:06 -0400 (EDT)
Message-Id: <1503009966.777131.1076940784.1D7A65AB@webmail.messagingengine.com>
From: Bron Gondwana <brong@fastmailteam.com>
To: dmarc@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_15030099667771310"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-21c69044
In-Reply-To: <CAD2i3WMDsY3-_o6cETtnN4B456dwycyikMVN-cgSKB16F6ynaQ@mail.gmail.com>
References: <1502957343.3548792.1076152832.1FEB1A8C@webmail.messagingengine.com> <CAD2i3WMDsY3-_o6cETtnN4B456dwycyikMVN-cgSKB16F6ynaQ@mail.gmail.com>
Date: Fri, 18 Aug 2017 08:46:06 +1000
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/2pmtF6KVYi5-DzyfRqtqTk_TLiA>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 22:46:10 -0000
On Fri, 18 Aug 2017, at 04:48, Seth Blank wrote: > On Thu, Aug 17, 2017 at 1:09 AM, Bron Gondwana > <brong@fastmailteam.com> wrote:>> I laugh as well, but it's more than p=reject isn't enough in the ARC >> world, because it doesn't distinguish between:>> a) I'm OK with email from my domain being sent via mailing lists; and>> b) no, this domain is only ever used for direct messages, it should >> never appear in ARC chains that don't also pass DKIM.> > The DMARC WG charter directly addresses this: > https://datatracker.ietf.org/wg/dmarc/charter/> > Our stated goal is to fix indirect mail flows so that they do not > break under DMARC. To me, that's an explicit requirement of a), with > b) being out of scope. OK, so case (a) means that we are explicitly redefining the behaviour of a DMARC receiver. It should now accept messages that it used to reject, because they have additional new headers. Which means what - until it's updated it now no longer compliant, or else it means (as I have just responded to Brandon in what appears to be a split of this same thread) that intermediate sites which modify messages are left in a limbo where they have to guess what happens. In one respect, that's no different than the situation now where intermediate modifiers KNOW that they can't send on messages for p=reject domains (or at least, they would know if they were DMARC- aware). But it does mean that workarounds for DMARC (like modifying the from header) are needed for some time yet. Bron. -- Bron Gondwana, CEO, FastMail Pty Ltd brong@fastmailteam.com
- [dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos