Re: [dmarc-ietf] Not Multiple From: mailboxes, was I-D Action: draft-ietf-dmarc-dmarcbis-24.txt

[Dotzero <dotzero@gmail.com>]

On Thu, Nov 24, 2022 at 6:12 PM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> I have been tracking the discussion pretty closely for about three years,
> and I have no recollection of any discussion which established that From is
> different from Author.   On the contrary, we have said that From indicates
> the person's whose ideas are being presented, which is why authorship is
> different from MailFrom.   MailFrom is equivalent to Scribe.
>
> Jeremiah the prophet is the presumed Author of the Biblical book with his
> name (or of the material on which it is based), even though he may have
> been illiterate.  The book tells us that a guy named Baruch was his scribe,
> but Baruch is remembered only incidentally.
>
> Please clarify why you don't believe that From = Author.
>
> Doug Foster
>

Then you weren't tracking when Dave Crocker proposed the use of "Author" as
a means of enabling replies where a mail list or other intermediary
rewrites the From. Is a rewritten email address from an intermediary the
>From AND the Author? If you reply to the rewritten From do you have any
reasonable expectation that your reply will reach the purported "Author" of
the email?

You are going down the same path that Microsoft went down with SenderID
when they conflated Sender with MailFrom. I used to send emails to the
folks at Microsoft who were pushing SenderID, using their own email
addresses because you could consistently get a neutral. It drove them nuts
for months before they admitted it was a problem with PRA. From != Author.
There may be instances where it does but that is not because a standard
specifies it to be so. Merely a happy coincidence.

Michael Hammer

>
>
> On Thu, Nov 24, 2022 at 4:58 PM Dotzero <dotzero@gmail.com> wrote:
>
>>
>>
>> On Thu, Nov 24, 2022 at 2:22 PM Neil Anuskiewicz <neil@marmot-tech.com>
>> wrote:
>>
>>>
>>>
>>> On Nov 24, 2022, at 7:10 AM, Dotzero <dotzero@gmail.com> wrote:
>>>
>>> 
>>>
>>>
>>> On Tue, Nov 15, 2022 at 12:29 PM Douglas Foster <
>>> dougfoster.emailstandards@gmail.com> wrote:
>>>
>>>> Your solution is straightforward, but I am not sold.
>>>>
>>>> DMARC PASS means that the message is free of author impersonation.
>>>> This can only be true if all authors are verifiable and verified.
>>>>
>>>
>>> This is absolutely not true. An attacker can use homoglyphs, cousin
>>> domains and other means of impersonating a sender. An attacker can
>>> impersonate a sender within the same domain and DMARC will happily give a
>>> pass because the right hand side of the from address matches. Author !=
>>> sending domain. DMARC only addresses direct domain impersonation.
>>>
>>>
>>> Can we assume that in the context of DMARC, passing means passing with
>>> alignment when it stops exact domain impersonation. I think we can assume
>>> that nobody on this list thinks me using my own passing spf and dkim with
>>> sketchythreatactor.com  and spoofing your header from isn’t what anyone
>>> means by pass in this context. If the effect can stop impersonation it’s
>>> ipso facto in alignment.
>>>
>>
>> In the context of a standards working group, no, we cannot assume
>> anything. There have been plenty of misstatements and factually incorrect
>> statements in this group. This includes  "DMARC PASS means that the message
>> is free of author impersonation". DMARC pass means it passed DMARC
>> validation. If a homoglyph From email address passes DMARC validation,
>> there has indeed been impersonation of the purported From address. And for
>> purposes of DMARC, Author is not necessarily the same as From. We've had
>> that discussion multiple times before.
>>
>> Michael Hammer
>>
>