IETF Logo Mail Archive

Re: [dmarc-ietf] Authentication of reports

Seth Blank <seth@valimail.com> Wed, 20 January 2021 23:08 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFCDD3A15BE for <dmarc@ietfa.amsl.com>; Wed, 20 Jan 2021 15:08:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zYc-y9DDx5Tu for <dmarc@ietfa.amsl.com>; Wed, 20 Jan 2021 15:08:23 -0800 (PST)
Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FF9C3A15D9 for <dmarc@ietf.org>; Wed, 20 Jan 2021 15:08:23 -0800 (PST)
Received: by mail-vs1-xe2c.google.com with SMTP id p20so57687vsq.7 for <dmarc@ietf.org>; Wed, 20 Jan 2021 15:08:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mSzavoFpWFJWzUp7AoyQoenPZ5Sujc7pIW8bLb2GZt0=; b=c4bIkxJ4KYccNyrknYB93YR8jLdAd9PKit8eztusPcOMyPf0RmAAjRKkkNXrMgpvrc ajuMLtg6Fn0C7Calya9iaF7s1k56x5v9spL/fdRHTc+7qnvOJGzvnLDs8tDYQYXgLOhF d/X95QLfHhXyVtRrhD7DErn6GsOjaSnIkCirL/Vhjokfft20W5pB9fyhx4cEbwnQfI58 LH2PaXNEdy2jDZf4oeg+nMpa3TqLRyvnmpqEJXskjRIYILDRgWt1RVor2NjET5iuvCvQ qqC9/VIqpGSouwSdNMLxZYsZQEq2dQCgLzFl8KBzveGvu5nalpfw5A7o+Ez/I3qQhDjK wadw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mSzavoFpWFJWzUp7AoyQoenPZ5Sujc7pIW8bLb2GZt0=; b=pRCpT3Nk85ZyaQk+aReG5ToobiqbTXDwRIAAvl2JV9nXk/+/FyORHXjjSwaCWT3s2S SP7yHyjRN2sll+gGEwhSlR91Y5pMnh5X7cw0B3AOkRGaH/8R15wSceUVWxFddpzjIvf9 vLC7rgHqnNjMvc3OK9O+HOLAGcEsNySJMRY9tVw856sbLjEkfQ3NuJr7jkYc/tGz/MFI INhGB39JItIg+t86iZJjuToXP9TmqoZhUp/aMHoIgl6my1hVdfxnbV8mMM0IiE2oD5Ni wJyUSJTEd/5k72bqvTkio9pMcPSfQEvvD0fssAZNgtU1/1zka1r7FNWs+T+8nttID4ZU TQkQ==
X-Gm-Message-State: AOAM531meeTod7EOiDc3vRLc3rSBJtta8xOlO5RQOeC2qF5dy5x9paTq RV0UE7AHyqUwiF1KZ1XTStUh6Tzw926P/M+Jy9GXqg==
X-Google-Smtp-Source: ABdhPJzcIGWWHCmL4GIeuYzzDj8eqbmja2rCqJsVm+rDTvj9//QfD476oVA3cRed4ExAO57zhG6FO2kLLsyVad8atW4=
X-Received: by 2002:a05:6102:1c8:: with SMTP id s8mr8551735vsq.52.1611184102406; Wed, 20 Jan 2021 15:08:22 -0800 (PST)
MIME-Version: 1.0
References: <af4c2a23-4a55-9103-487c-72a394fa594f@mtcc.com> <CAL0qLwaAptLh9OFr4VdzyPV4KV1M8vbMSw8DWZCf4zqVbfaT5w@mail.gmail.com> <CAOZAAfNw1amAfubGBMXY_FzDOaPzKkBb0TiaexZhk+JZXeFZ=Q@mail.gmail.com> <ac8530f6-e8c9-bb6b-d20a-2635d997e149@mtcc.com>
In-Reply-To: <ac8530f6-e8c9-bb6b-d20a-2635d997e149@mtcc.com>
From: Seth Blank <seth@valimail.com>
Date: Wed, 20 Jan 2021 15:08:11 -0800
Message-ID: <CAOZAAfPS92sdataw5G9RJd=nY5iQXFBO3PY1iEDUkSrHMTJJLA@mail.gmail.com>
To: Michael Thomas <mike@mtcc.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000017926005b95d0806"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/64KWZfwiAG9S3fVot6dxMpkdUeo>
Subject: Re: [dmarc-ietf] Authentication of reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 23:08:26 -0000

Discussion is in scope, per: https://trac.ietf.org/trac/dmarc/ticket/42

This topic has come up before, and there's always general interest in
pursuing it, and absolutely no one who puts their hand up for either it
being impactful for them or having any interest in implementing it. i.e. it
seems interesting to people, but there seems to be no use case with
operational support to actually add it.

So from those previous discussions, I don't think it's likely that we'll
add reporting beyond mailto:, but it is certainly a conversation that's in
scope when either ticket is opened.

Seth

On Wed, Jan 20, 2021 at 3:02 PM Michael Thomas <mike@mtcc.com> wrote:

>
> On 1/20/21 2:59 PM, Seth Blank wrote:
>
> Michael, please open a ticket. I think you're right and some consideration
> around this is needed in the document.
>
> What about the https part? If it's not in scope I don't want to add noise.
>
> Mike
>
>
> On Wed, Jan 20, 2021 at 2:56 PM Murray S. Kucherawy <superuser@gmail.com>
> wrote:
>
>> On Wed, Jan 20, 2021 at 1:21 PM Michael Thomas <mike@mtcc.com> wrote:
>>
>>> I just scanned through DMARC and I couldn't find any security
>>> requirements/mechanisms for the failure reports. I would think at the
>>> very least the receiver consuming the reports ought make certain that
>>> the report at the very least have either a valid DKIM signature or a SPF
>>> pass. Unauthenticated data is always the source of mischief, and I'm
>>> sure that there have to be attacks that are possible with
>>> unauthenticated reports. At the very least this should be a security
>>> consideration, and most likely should have some normative language to
>>> back it up.
>>>
>>
>> I thought the usual rules about when you should or shouldn't trust a
>> message ought to be applied, but I guess we never actually said that in the
>> document.  We certainly could.
>>
>> Since I'm sort of new, it's been unclear to me whether whether having a
>>> new https transport mechanism is in scope or not -- it seems to come up
>>> pretty often -- but I'm not sure how people would propose to
>>> authenticate the report sending client. That seems to me to be a basic
>>> security requirement for any new delivery method. The problem here is
>>> there isn't a client certificate to determine where the report is coming
>>> from or any other identifying mechanism. An alternative might be to DKIM
>>> sign the report itself, but the long and short is that it would need to
>>> be addressed.
>>>
>>
>> As I recall DMARC originally (in its pre-RFC versions) did have "https"
>> as a supported scheme for "rua", but since nobody implemented it during the
>> years DMARC was in development, it got dropped before publication.
>>
>> -MSK
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
>
>
> --
> *Seth Blank* | VP, Standards and New Technologies
> *e:* seth@valimail.com
> *p:* 415.273.8818
>
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
>
> _______________________________________________
> dmarc mailing listdmarc@ietf.orghttps://www.ietf.org/mailman/listinfo/dmarc
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>


-- 

*Seth Blank* | VP, Standards and New Technologies
*e:* seth@valimail.com
*p:* 415.273.8818


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email