IETF Logo Mail Archive

Re: [dmarc-ietf] Updated mandatory tag/conditional signature draft

Hector Santos <hsantos@isdg.net> Thu, 09 April 2015 22:37 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B16C1A8AE0 for <dmarc@ietfa.amsl.com>; Thu, 9 Apr 2015 15:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.137
X-Spam-Level:
X-Spam-Status: No, score=-101.137 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pauSw0xb6tuW for <dmarc@ietfa.amsl.com>; Thu, 9 Apr 2015 15:37:11 -0700 (PDT)
Received: from dkim.winserver.com (mail.catinthebox.net [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id 40A041A8BC3 for <dmarc@ietf.org>; Thu, 9 Apr 2015 15:37:11 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2227; t=1428619023; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=ntu+PML8zIU2b/JLD05/rX/DuYY=; b=c+9JuYwOp3y5KSek7rPb RKjP3I3CdCc49l/QP3YXliPkpWiwMTpL8rGFhCAA5jWqK7cjjAn5s+vH5q9RSeeh t7eJhThzkbYlQ3R71/6V/DuSNcbCIhDskgWXk/1WAtVUf+Wvsfa9RBCRENZ58V2b WhjQtwK5vqaYyOJv3/B5cpU=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for dmarc@ietf.org; Thu, 09 Apr 2015 18:37:03 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com; dmarc=fail author.d=isdg.net signer.d=beta.winserver.com (unauthorized signer);
Received: from beta.winserver.com (hector.wildcatblog.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 2329042379.3150.6048; Thu, 09 Apr 2015 18:37:01 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2227; t=1428618800; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=RsCyQOo cd3qRytLBDKRulCI1ejqQ0be2DscwrA1bv8E=; b=cL64+OWO6IYiIjIrdVssdsQ d3KuTka93Ls8ebmcmVu9/5g2TkVnvOXDOTJvpOd3ZafRKZS7hlpk+xYbe/7xrB6L gOrjiPW4Be4+BcApb0CwtjQGloW6cf/U1xLSdgqmwZbzsIrwRYVY8vMdDzEm7Gje VDo+w1jvjAjxlZ2pkwmI=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for dmarc@ietf.org; Thu, 09 Apr 2015 18:33:20 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 921335582.9.1224; Thu, 09 Apr 2015 18:33:19 -0400
Message-ID: <5526FF13.60200@isdg.net>
Date: Thu, 09 Apr 2015 18:37:07 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Murray S. Kucherawy" <superuser@gmail.com>, Brandon Long <blong@google.com>
References: <20150409020637.34444.qmail@ary.lan> <CAL0qLwZyZUO2ZJGcS3PMmMU5+qXSmKm2UeUveYujpNy9CVSJyw@mail.gmail.com> <55266C2B.4040708@isdg.net> <20559.1428585884@vindemiatrix.encs.concordia.ca> <552689EE.4090408@sonnection.nl> <5526C6AA.2060508@isdg.net> <CABa8R6tObGnpjV0Fq5DV2hHYA2Rj33nsKyEduy7Eqqx4SRAVSw@mail.gmail.com> <CAL0qLwZZRZKAffZL2tHmX9X9rQtU07QaxZpq9iAkmM-Pec_FfA@mail.gmail.com>
In-Reply-To: <CAL0qLwZZRZKAffZL2tHmX9X9rQtU07QaxZpq9iAkmM-Pec_FfA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/4iZIxDlEfI67ZLVkzj0Qd2Wc5qA>
Cc: "<R.E.Sonneveld@sonnection.nl>" <R.E.Sonneveld@sonnection.nl>, Anne Bennett <anne@encs.concordia.ca>, "dmarc@ietf.org" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] Updated mandatory tag/conditional signature draft
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 22:37:12 -0000

On 4/9/2015 5:47 PM, Murray S. Kucherawy wrote:
>>
>> Every Google Apps domain has mailing lists (Google Groups) support, should
>> I put all of them automatically on such a list?  That's way more than 50k
>> records at that point, and even if they're paying me (Google) money, I
>> don't know if I would trust them to send from gmail.com or google.com.
>> Currently, for sending mail as google.com, we require vendor level
>> security audits... am I supposed to just say "ok" to every random mailing
>> list that googlers are on?
>>
>
> This is precisely why I am "showing my disinterest in completing the DKIM
> ATPS work", and also why I don't think things like DSAP or TPA will work
> either.  They all amount to creating a registration burden on the author
> domain, and those sorts of approaches do not scale.

It is still not convincing.  You are already doing a DMARC lookup. You 
are adding a new parameter to the DNS lookup and only when the ADID != 
SDID condition is met.

The registration is a long term process, just like SPF and now DMARC 
was.

> Solutions to this problem have to be self-contained in order to stand a
> chance of being viable.  The drafts before us now attempt to augment DKIM
> in a way that doesn't create any extra queries to the DNS or any other
> registry to validate.  So far, this seems way more palatable.

I'm sorry, but its not.  It would be more DKIM changes at the all 
points. It is not necessary to be done. Certainly more processing 
overhead and there are additional DNS calls.  For each new 3rd party 
signature, you got a DNS hit.  You can't avoid the DNS hit.   Adding 
ATPS/TPA to DMARC adds only 1 more DNS call and thats only when the 
ADID != SDID.

And how do you expect the new signer to learn when to create two 
signatures?  Where is that registration coming from?   Google still 
needs to learn 50K domains and also figure out how to automate it for 
Google Apps mailing list support.   Its no different Murray.

At this point, you need both ideas:

    If there is a @FS= record, check it, otherwise if ADID != SDID 
check ATPS.

DKIM signers and verifiers should not be put into a design change and 
cost burden when its not necessary.

-- 
HLS

v2.23.0 | Report a Bug | By Email