IETF Logo Mail Archive

Re: [dmarc-ietf] Fwd: Priming the Pump for Discussion - Ratchets

Barry Leiba <barryleiba@computer.org> Tue, 20 July 2021 14:51 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA5693A2585 for <dmarc@ietfa.amsl.com>; Tue, 20 Jul 2021 07:51:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qtai9ceDy1gC for <dmarc@ietfa.amsl.com>; Tue, 20 Jul 2021 07:51:05 -0700 (PDT)
Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com [209.85.167.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 639743A2582 for <dmarc@ietf.org>; Tue, 20 Jul 2021 07:51:05 -0700 (PDT)
Received: by mail-lf1-f43.google.com with SMTP id u13so36157251lfs.11 for <dmarc@ietf.org>; Tue, 20 Jul 2021 07:51:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=sQblGZoR2iuXPTmkh+NPf+GxJ5gyRL1xEkQOZLHPzVc=; b=UnGRSDJY0PQbldW2kqCVAhVvpmLW7zYYbIEVyvuSVqRuvPD1YWp53xjA76M5OTYdFJ WwLcakR2ZfJP8YBlxp8yaunYeQcLrnqrEy+4hXmoBaKCbYqSvvCx0EPQbJTs0KP2VanF KeUtm/n68umGNX8EOBAZi489JhoS6AS4cvqttFVYZSfKF67uXuI+GjSBxeaSAq8L3XL2 D5/CYoww6H9HR3AOyJ+V3YI6xL77UxAkFmJFNZt9vnDq/Kzk5sRjAFQqcHrblLEgiJSC lbchjSuOW3ayQ2bm8MZ2+tF7//LHHbA6V6XAXa9NslT63jkTP3A4zTwGEqrb8ekLX7q4 8j2w==
X-Gm-Message-State: AOAM5325OH3y+9uJywIqa5iAuNWx6ZCMg//7x+186Nre8gUpo8BROUJm z/YZS5nubGixomr+CXZK7/c9l6Wig37Uuu3sE7k=
X-Google-Smtp-Source: ABdhPJy3qmHWZb9BWCRdjxadRO6DRV+K1EBOicyE21jTwgHYu7bwBHNf28nVVISXaNo0NUqsTYyqdxjWHRnXmMreF4I=
X-Received: by 2002:a19:6d06:: with SMTP id i6mr23570708lfc.295.1626792658075; Tue, 20 Jul 2021 07:50:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8=yvgXP2WgHayhGU2Hg2E0RcNgZBFjfw1cM-qKWkTG-+w@mail.gmail.com> <d80b0a14-0f4d-8266-8d42-8d9a6b02413d@tana.it> <CAH48ZfyLvECR_nwLmw6R6RnE4EZa8g_i7MJaF32d2qk4RBCKRA@mail.gmail.com> <1E1F7937-AFEC-4F5A-8A5A-229A99C94E8B@bluepopcorn.net> <CAH48ZfyTm1PSANTUmnqOy3aeiW4JHGbTsQ-m9xtSW9zFaCUZQA@mail.gmail.com> <CAH48ZfzEWaFPUG4Gfc2ckpyUEq-8L9kEZZv+LwqJcW88=0y6=w@mail.gmail.com>
In-Reply-To: <CAH48ZfzEWaFPUG4Gfc2ckpyUEq-8L9kEZZv+LwqJcW88=0y6=w@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Tue, 20 Jul 2021 10:50:46 -0400
Message-ID: <CALaySJJ2ZFML2neecfgAhvfk_1EuMNGw6DwchLmmWWpbDJC+Zw@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/3agS8RI5XWhCL9yW4SNsQrWZlKY>
Subject: Re: [dmarc-ietf] Fwd: Priming the Pump for Discussion - Ratchets
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2021 14:51:11 -0000

Doug, I think the issue here is that I disagree with your premise, so
the rest of the argument fails for me:

> The goal is to partition all incoming messages into two mutually exclusive groups:   Those messages which
> originated under domain owner control, and those which originated under domain owner control, and those
> which originated outside domain owner control.   This requires two things:

I don't agree with the characterization of the second group.  I would
say that we are partitioning messages into these two groups:
- Those for which we can confirm that they originated in the domain
they say they did.
- Those for which we can not confirm that.

Note that the second of those is subtly different to your
characterization, in that there's a difference between knowing that
they did not originate in the domain... and not knowing whether they
did or didn't.  It has never been a claim of either DKIM or SPF that
we can know anything in particular about a message when validation
fails: all either of them tells us is that validation has failed.

As Jim says, DKIM is very clear about that, when it tells us to treat
a validation failure the same as an absent signature.  Any proposal
that tries to treat a signature that fails to validate in any special
way is a non-starter, as it violates DKIM.

Barry

On Sat, Jul 17, 2021 at 8:38 AM Douglas Foster
<dougfoster.emailstandards@gmail.com> wrote:
>
>
> The goal is to partition all incoming messages into two mutually exclusive groups:   Those messages which originated under domain owner control, and those which originated under domain owner control, and those which originated outside domain owner control.   This requires two things:
>
> - First, that at origination, credentials are in place so that a first-hop MTA can reliably perform this partitioning.   I have a much longer analysis, but the short version is that this requires an aligned and verified DKIM signature on all messages.   There is no partial participation, which is why the percentage notion needs to be discarded.   Of course, fully authenticated messages are always detectable.  However, in the absence of DKIM on all messages, the partitioning is not possible because both domain owner and non-owner messages will both fail to be authenticated.
>
> - Secondly, the message addresses and the associated DKIM credential must be preserved until the message is received.   We know that this is not the case because forwarding with changes will break the DKIM signature.   The absence of verification does not reliably indicate the absence of domain owner
> control, it can result from a domain owner message which was modified or a non-owner message which was received in transit for any reason.
>
> Consequently, we need three categories:
> 1) Messages which can be reliably attributed to the domain owner because authentication passess.
> 2) Messages which can be reliably attributed to non-owners because of a repudiation rule.
> 3) Messages which are ambiguous because they neither meet an authentication rule nor meet a repudiation rule.
>
> When we acknowledge this three-category reality, we have solved the mailing list problem.   Mailing list messages can never be in category one.   They belong in category 2.  The current DMARCv1 specification forces them into category 3.   The two-possibility worldview creates the problem.   The three-possibility worldview solves the problem.
>
> I suggest these repudiation rules:
>
> Rule 1:  The domain owner asserts that all messages from this domain will originate with a verifiable DKIM signature.   If a message does not have an aligned DKIM signature, or does not have a DNS public key available for the scope ID, then the message originated outside domain owner control,  As I have said, this is a mandatory first step to any policy being applied to non-authenticated mail.
>
> Rule 2:  The domain owner asserts that all messages from this domain will originate with an SPF policy, including messages from email service providers.   Results of SPF NONE or SPF NXDOMAIN indicate messages that are outside domain owner control.
>
> Rule 3:  The domain owner asserts that all messages from this domain will have RFC5322.FROM addresses that "exist".   Messages that do not have FROM addresses which "exist" have originated outside domain owner control.  The definition of "Exists" is still being debated, and I have expressed strong feelings about the right definition.
>
> Rule 4:  The domain owner asserts that all messages from the domain will originate with an initial ARC Set.   Messages which do not have an ARC Set from the domain have originated outside domain owner control.  I am inclined to include broken-chain ARC sets in this rule, but John would be a better person to clarify this question
>
> Everything that is not authenticated or repudiated is in category 2.   I understand that category 2 includes a large number of messages.   These messages require more analysis because the DMARC result is indeterminate.   In most cases, this means that the next step is to put the message through the full suite of content filters.   If the message is not blocked based on content filters, then it may be desirable to do an in-depth analysis of the message. Full header analysis is complex, ambiguous, subject to spoofing, and very much outside of the capabilities of this document.
>
> Note:  I am being careful to use "outside domain owner control" because some such messages are very much wanted and should not be blocked.   Even though such cases exist, the partitioning effort is indeed useful, because it can be used to block some unwanted messages.  So "p=reject" fails on multiple levels:   It presumes that the domain owner knows that credentials will be preserved until reception, which is false, and it assumes that non-credentials messages should always be blocked, which is also false.   "Pct=50" fails because it presumes that partial participation is possible, and it presumes that a message evaluator will be willing to use a random number generator to decide message fates.
>
> Doug Foster
>
>
> Doug Foster
>
>
> On Fri, Jul 16, 2021 at 7:24 PM Jim Fenton <fenton@bluepopcorn.net> wrote:
>>
>> On 15 Jul 2021, at 18:07, Douglas Foster wrote:
>>
>> >> The aligned DKIM signature test can have three conclusions, not just two:
>> >>
>> >> ·         Fully Authenticated:    A signature is present, a DNS public
>> >> key is available, and the key can be used to verify the signature.
>> >>
>> >> ·         Provided:  A signature is present, and a DNS public key is
>> >> available, but the key cannot be used to validate the signature.
>> >>
>> >> ·         No Signature or No key:  A signature is not present or is
>> >> present but the DNS public key is not available.
>> >>
>> >> If the domain owner indicates that all messages originate with a
>> >> signature, then messages with “No Signature or No Key” are verifiably not
>> >> from the domain owner and can be confidently repudiated.
>>
>> Why would “Provided” be handled any differently from “No signature or no key”? An attacker can easily provide a signature for a message they are spoofing, and after observing some of that domain’s traffic will know what selector name to use that has a published public key.
>>
>> DKIM is very explicit about its results: either the signature verifies or it does not. There is no third case.
>>
>> -Jim
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email