Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
Hector Santos <hsantos@isdg.net> Tue, 21 July 2020 18:08 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EBF73A0D5F for <dmarc@ietfa.amsl.com>; Tue, 21 Jul 2020 11:08:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=SQa+TTgS; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=mU2RqoPe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8XkOOZCcsqi0 for <dmarc@ietfa.amsl.com>; Tue, 21 Jul 2020 11:08:00 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B454B3A0D57 for <dmarc@ietf.org>; Tue, 21 Jul 2020 11:08:00 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2568; t=1595354871; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=7YImzlByKjMvmt+TQ3E25qJipGk=; b=SQa+TTgSUEWjMuxVjpF0rlyZwbzn8q/X5TT+XerZ0pr6XvNT9EiGk0KXOpouEU CfvIx5JthfQUblxo7gTvyqNo2ULK5OhwgLCJ2veqbIkWjmhktX5dmDwc2kbaZTMQ w9z6qTn0nKqcoi0AVoFwFax2g+bYy9yYB/jRwXsiCyM+E=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 21 Jul 2020 14:07:51 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 1787170166.1.6332; Tue, 21 Jul 2020 14:07:50 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2568; t=1595354770; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=QwOqwSo 9hD60BqopCzBRHt40EnttiLeDRVDupL+U/dw=; b=mU2RqoPe48n6IZ1/t6i4gI2 Y+c6mgkyIVZR5/8UkzibZCeb5ly9qqKsjD0Duct+ZvqrveJPBQxMZgnfC7ZhQd7v xgg1cVIJaaWNR/kymAwuvA8MKinI2lzZFbA/VMucyNGrOVXhDm//IDvumfXE4jQg 3hpfuzgVFa8suuFH/Sv0=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 21 Jul 2020 14:06:10 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 1497945453.1.30156; Tue, 21 Jul 2020 14:06:09 -0400
Message-ID: <5F172EF5.7000508@isdg.net>
Date: Tue, 21 Jul 2020 14:07:49 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dcrocker@bbiw.net, Jesse Thompson <jesse.thompson=40wisc.edu@dmarc.ietf.org>, dmarc@ietf.org
References: <bf5b68c74a3c487ca8a07a0a27061e47@com> <87zh7ur069.fsf@orion.amorsen.dk> <3829fac4748a48d0b752403450843bd5@bayviewphysicians.com> <c9353a06-ab31-c397-449e-7d36afbf655d@wisc.edu> <c2ad22cd-8b35-733f-bc4c-839e2c4b3e98@dcrocker.net>
In-Reply-To: <c2ad22cd-8b35-733f-bc4c-839e2c4b3e98@dcrocker.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/58SB6aD3jkl9PXwlBWCSgdF0k7o>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 18:08:03 -0000
On 7/21/2020 11:51 AM, Dave Crocker wrote: > Also then consider that the existing MLM behavior has existed and been > useful for roughly 45 years. > > The problem, here, is DMARC's imposing a change in email semantics. Dave, there are different ways of looking at this. I've work with and developed MLM/MLS for as many years, and there are "mail engineering ethics" here to consider. The first is Mail Tampering, which is part of 1986 US ECPA guidelines, Mail Tampering was an exception, not a rule, with the MLM/MLS to allow for body changes. This was not a normal expectation except to allow a very basic overhead level with headers/footers. Absolutely no tampering with the context, the "gist" of the copyrighted messages, is never expected to be altered. It was never expected for the Author field to be changed unless you had a digest or something like it where clearly the mail was not coming from you. In general, it would have been a US ECPA violation. It was not something you often seen done, if ever. The Newspaper Publisher industry is the only industry where legal concept of "Print To Fit" was acceptable for 100+ years. But if a MLM/MLS is considered a publisher, would it be exempt? Even then, the From is not changed in your letter to the editor. Second, DMARC is imposing a new security protocol based on the premise the "From" is not expected to be changed. How will the MLM/MLS fit? It can: 1) Supports the security protocol and the problem is solved. Exclusive domains made a published policy statement for exclusive signing. The Exclusive Domains does not expect its users to be using their domains outside the work place. The policy is honored. 2) Unintentionally ignorant of the security protocol, does nothing. This is your true legacy system. 3) Intentionally ignorant of security protocol while continue to resign mail. This is not a legacy system if it has adapted to resign mail and chose to neglect and ignore the security protocol. 4) Same as #3 but also rewrites From field. #1 and #4 will resolve the problem. The proper protocol engineering fit is with #1. While #4 resolves the issue, it is perpetuating an undesirable design that can have serious mail engineering consequences simply by watering down the value of persistent 5322.From. The #2 and #3 MLM/MLS will be remain as problems until they change or the user is made aware he can't use his exclusive domain on a public forum. -- Hector Santos, https://secure.santronics.com https://twitter.com/hectorsantos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- [dmarc-ietf] Response to a claim in draft-crocker… Kurt Andersen (IETF)
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker on behalf of Kurt Andersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] no from addresses nowhere, Respo… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Doug Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- [dmarc-ietf] DMARC marketing Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] DMARC marketing Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker