Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
Hector Santos <hsantos@isdg.net> Fri, 31 May 2019 15:46 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65D3912013A for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 08:46:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=QP4zYTq7; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=Ce9EoQui
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7q0lhbqgeDzc for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 08:46:22 -0700 (PDT)
Received: from mail.winserver.com (groups.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 35161120147 for <dmarc@ietf.org>; Fri, 31 May 2019 08:46:22 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=6318; t=1559317574; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=m1CFn5Fll25APvelJ9CY+lm28hc=; b=QP4zYTq76j6MEPJ6/yFj0IdVYj/E8qFJpaYi05/pjo6iq/S6R+kqG+8sVDSLga 5o/pQ/pmr5DvSjg8jcjFJ4F/jQ7EQcTPPopvDf09GspPVeXRxPfmydwJFKCZHsD+ Atj5gnHFDUnV4aLqcBOFAw0HSxnrm1s7fUgCXcIZmJn34=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Fri, 31 May 2019 11:46:14 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 110024012.58212.4484; Fri, 31 May 2019 11:46:12 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=6318; t=1559317396; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=GRqIt7v QsTQIrFZ0iA8g2GwqkN+iWcl6TVYx2hGgohU=; b=Ce9EoQuiuxbUDy2C/2C154w HcfBS5PlXIW07D1lpF6/Gm+wrUprA6E1X3NC5l9UVycrVsShdqIktw/yO0GJ10W/ FOgkwHIknVVlFzjO5HasxKENhWo/6ofheF8y2Yq6ZzBbjkgM9KJ2n30LmkIwCBde AtyEEy95Tc0sfZAXTArM=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Fri, 31 May 2019 11:43:16 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 1682251801.9.291380; Fri, 31 May 2019 11:43:15 -0400
Message-ID: <5CF14C46.4040100@isdg.net>
Date: Fri, 31 May 2019 11:46:14 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> <20190526144848.08A772014A0BF4@ary.qy> <CAL0qLwbxwLTpgYJN9qBTzi2oN1EMvAYuNoDbw5Rx5W46-WNyLA@mail.gmail.com> <alpine.OSX.2.21.9999.1905301712140.76792@ary.qy> <c559a331d90b49eba5b5f6e35ff4774a@bayviewphysicians.com> <1931a4e4-7112-56ae-24e6-b138466392b4@dcrocker.net> <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com> <5CF141F6.7030000@isdg.net> <189794E3-5C3A-4A5F-B4C0-A64842FD4625@otoh.org>
In-Reply-To: <189794E3-5C3A-4A5F-B4C0-A64842FD4625@otoh.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/5JhACW-NMPeaurQumJgNsgcPOXo>
Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 15:46:26 -0000
Yes, RFC 7960 summarized/gathered what was already well known. We
also have a List Server product, for practically "30 years," too and I
am very aware of how mail flows works. One problem is the fallacy
that we didn't want to change software. Well, I was ready to do so,
and did, and only until others were force to do so, other list servers
began to do the 5322.From rewriting thing. Not my preference to be
tampering with the author address, I do recognize it helped address
the issue. The better rand more logical alternative (imo) is for the
list to:
- Deny Restrictive Domains in the name of security, both for
subscriptions and submissions into a list.
Finally, in my opinion, extended policy designs need to be revisited
as an simplified alternative to the experimental status, a high
overhead, expensive ARC design which really doesn't promise anything,
yet, other than record what kind of failures happened. I can't find
convincing ARC design logic that suggest this will help address the
unauthorized 3rd party resigner problem unless as I suggested, it
comes with an extended DMARC tag that gives receivers the "authority"
to check the "ARCness" of a failed DKIM message. Even though, I would
only like to do so with authorized domains I trust.
On 5/31/2019 11:16 AM, Elizabeth Zwicky wrote:
>
> RFC 7960 has an extensive discussion of mail flows that modify mail (as well as other cases that are problematic for DMARC). Mailing lists are not the only case, and, as John has pointed out, reformatting and part stripping are things that happen in mail flows.
>
> Elizabeth
>
>> On May 31, 2019, at 8:02 AM, Hector Santos <hsantos=40isdg.net@dmarc.ietf.org> wrote:
>>
>>> On 5/31/2019 6:59 AM, Douglas E. Foster wrote:
>>>
>>> DKIM was supposed to provide sender authentication when SPF was
>>> invalidated by forwarding, so DMARC said that the two techniques
>>> should be evaluated together.
>>
>> Unfortunately, DMARC did not have a policy that offered that output.
>>
>> SPF >> FAIL
>> DMARC >> PASS?
>>
>> Overall, DMARC failed to cover all the possible scenarios of mixed signatures.
>>
>> To cover all aspects, the DKIM POLICY model has to offer 3rd party signature conditions. In the DSAP proposal, it highlighted this as the broader possible options:
>>
>> https://tools.ietf.org/html/draft-santos-dkim-dsap-00#section-4.2
>>
>> +-----------------------------------------------------------------+
>> | op= | 3p= | Domain Policy Semantics |
>> |=================================================================|
>> | empty | empty | No mail expected |
>> |-----------------------------------------------------------------|
>> | never | never | No signing expected |
>> | never | always | Only 3P signing expected |
>> | never | optional | Only 3P signing optional |
>> |-----------------------------------------------------------------|
>> | always | never | OP signature expected |
>> | always | always | Both parties expected |
>> | always | optional | OP expected, 3P may sign |
>> |-----------------------------------------------------------------|
>> | optional | never | Only OP signing expected |
>> | optional | always | OP expected, 3P expected |
>> | optional | optional | Both parties may sign. |
>> +-----------------------------------------------------------------+
>>
>> That covered all possible combinations.
>>
>> We actually wrote an IETF functional spec regarding Sender Signing Policies:
>>
>> rfc5016 Requirements for a DKIM Signing Practices Protocol
>> https://tools.ietf.org/html/rfc5016
>>
>> Abstract
>>
>> DomainKeys Identified Mail (DKIM) provides a cryptographic mechanism
>> for domains to assert responsibility for the messages they handle. A
>> related mechanism will allow an administrator to publish various
>> statements about their DKIM signing practices. This document defines
>> requirements for this mechanism, distinguishing between those that
>> must be satisfied (MUST), and those that are highly desirable
>> (SHOULD).
>>
>>
>> But then something happen as this document was being completed -- list administrators got scared that DKIM Policy was gaining tractions and stepping into their market toes. After all, we had "30 years" of legacy list operations, we did not want DKIM Policy interfering with the broad range of established list distribution operations. So this RFC5016 "Blocker" was written at the last minute to preempt it from happening:
>>
>> Section 5.3, Item 10
>> https://tools.ietf.org/html/rfc5016#section-5.3
>>
>> 10. SSP MUST NOT provide a mechanism that impugns the existence of
>> non-first party signatures in a message. A corollary of this
>> requirement is that the protocol MUST NOT link practices of first
>> party signers with the practices of third party signers.
>>
>> INFORMATIVE NOTE: the main thrust of this requirement is that
>> practices should only be published for that which the publisher
>> has control, and should not meddle in what is ultimately the
>> local policy of the receiver.
>>
>>
>> That was basically, a "Don't step on my turf!!" requirement. It also meant "Local Policy Always Prevail" regardless of what a Domain published which is always the case anyway. Does not need to be stated. But overall, this is what help demote SSP, ADSP, ATPS and DKIM policy in general. ADSP was abandoned.
>>
>> But no one can kill a good idea, the proof of concept was too powerful, hence it returned as DMARC but as an informational status document to avoid the IETF mch higher review process.
>>
>> I have no idea how a high overhead, complex ARC will resolve this problem unless
>> it comes with a 3rd party signature concept with an extended DMARC "arc=y" tag:
>>
>> arc=y If the 1st party signature failed, then authorize the XYZ
>> domains using ARC seals to promote a failure to a pass.
>>
>> How would you specify the 'authorization" of XYZ domains and do so at scale?
>>
>> --
>> HLS
>>
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>
--
HLS
- [dmarc-ietf] Debugging and preventing DKIM failur… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Дилян Палаузов
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Murray S. Kucherawy
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dotzero
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Doug Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Elizabeth Zwicky
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Stan Kalisch