IETF Logo Mail Archive

Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value

Seth Blank <seth@valimail.com> Thu, 30 March 2017 17:35 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53FC31293DA for <dmarc@ietfa.amsl.com>; Thu, 30 Mar 2017 10:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P2kEhZXr4dGi for <dmarc@ietfa.amsl.com>; Thu, 30 Mar 2017 10:35:12 -0700 (PDT)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0866A129443 for <dmarc@ietf.org>; Thu, 30 Mar 2017 10:35:12 -0700 (PDT)
Received: by mail-qk0-x22c.google.com with SMTP id d10so46589785qke.1 for <dmarc@ietf.org>; Thu, 30 Mar 2017 10:35:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=vjZvPBb+pQFB/G8Put0En+66MUrMxHmIQXYSIGgrpgQ=; b=Zd/2NjpsZiWibqTw3rPNyaD9qmxSg/JgpvLgwAjfQ6woFpJb6vNQBNJ2skzLwNRsKF aPC54ts19FgvpmlaG3ALYZVxMgRrBDutYaYZdZvZoYyq/rkBsWip6LIkgRR9Q3A+4aM/ 6LZLHPG+AWe30uXeIMc5JvTM2VKrWCWAj6idHj2ydLitfIJOvt5SMs+gXVbtlCnnyabo FH6+H3eKP0Lo/It68zkbUu2SD0GXfyCmCylCiPXPi//mrfcRS923LMZ2cxraKYlqpSqH qaskNZ8UMS+nWL13uW6D3Pii2lxpCZ0ZSmGYzbGZ4pPsy7mXTabTIGiLxAa/YoVbypN3 CbUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=vjZvPBb+pQFB/G8Put0En+66MUrMxHmIQXYSIGgrpgQ=; b=i+VDYn2VTNrVXPZ0UFY9ZgxZA8UvXrZEQgLCDe2sn9Ak6t+olRzYZaNvjRinqKbnC6 YCUSQMvAXMEfTzpaZusYVDIkqDRPx/ty/E6F9O7ahRX+GB/y/OwzsQcVfOB1sXVd9eyL iiPLPKJ9/59FB/GGD23y7x08F+gaYToLj+aFdJnQ+09Oo7se4V9EdIW7s3iZ1rL0vxjp juwdclI1NrDroiYXzxKUEwE2CNVRE0ciWamPHNOY5UY9Dto03rrJBNkv3QlsBNsNpb4m RS603YYlpNsmPmcInDJ80deDaqHZk874Mi8fXjbBkMNeUVsIDcNeaJ4cS5Io6VwQSwMq vbWw==
X-Gm-Message-State: AFeK/H0nfYqgAcEps/WneFjhX/zQzPhC++Ok5FTjw9N7Ej1HYvg9sSMcFZsKgdlHHPnZ1pOQXsPx5Rv1ItJcww==
X-Received: by 10.55.176.135 with SMTP id z129mr891110qke.308.1490895311051; Thu, 30 Mar 2017 10:35:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.42.166 with HTTP; Thu, 30 Mar 2017 10:34:50 -0700 (PDT)
In-Reply-To: <01QCKR5S5OXK0003XB@mauve.mrochek.com>
References: <CANtLugO_D1Mz_v_341pc5O1mZ7RhOTrFA3+Ob5-onp72+5uRfA@mail.gmail.com> <alpine.OSX.2.20.1703272118210.2533@ary.local> <CAOj=BA0YKHYrkseR=wwgZn0_GNBKfdL7jmHehgBRzxqGKV6C1g@mail.gmail.com> <2978391.eJVbVTHBlo@kitterma-e6430> <CAL0qLwbP4c+09=TNSOsDqKwcp6iw++aGW8jDhARoVwvsghSLvA@mail.gmail.com> <01QCKR5S5OXK0003XB@mauve.mrochek.com>
From: Seth Blank <seth@valimail.com>
Date: Thu, 30 Mar 2017 10:34:50 -0700
Message-ID: <CAOZAAfM5A0G-DXZLS8704MssozwXHPh=_O-JVAAF5qSR6Cvong@mail.gmail.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Cc: "Murray S. Kucherawy" <superuser@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c06569469b1a6054bf61d3e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/6E0wNjl-srKjszQZEbbQfPLffjE>
Subject: Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 17:35:18 -0000

On Thu, Mar 30, 2017 at 7:01 AM, <ned+dmarc@mrochek.com> wrote:

> > On Mon, Mar 27, 2017 at 11:49 PM, Scott Kitterman <sklist@kitterman.com>
> > That sort of organic validation of implementations seemed to work for
> > DKIM.  The unknown here is whether ARC will be as successful with that
> > model.
>
> Exactly. And given the success of the approach with DKIM, the burden is
> on those proposing to use a different model for ARC to explain why it will
> work better.
>
> And note that "this kind of test becomes possible" is not sufficient. All
> kinds of tests become possible when you add constraints - the question is
> what sort of real world problem will those additional tests find.
>


ARC is fundamentally different than DKIM in several key ways. If we were
only talking about ARC Signing messages, I'd generally agree with the
comments on this list.

However, ARC is fundamentally different. It is about a chain of messages
that validate each other. And ARC's complexity is not in the signing (where
most of this conversation has been focused), but in this chain validation
and the cascading issues that can be created by any member of the chain
doing something slightly wrong. And since *everyone* in the chain except
the initial signer is also a receiver, the final receiver simply can't make
up for mistakes caused by a less savvy intermediary - the chain will
already be broken and unrecoverable.

ARC also has a lot of subtlety that is missable at interops because of
this. For instance, if I'm modifying a message, I need to validate the
incoming chain, then make my modifications, and then sign the outgoing
message. An intermediary doing this wrong (say, validating and then signing
after message modification) isn't a bug a final receiver can fix. And
without a seriously complex interop with a ton of intermediaries and
sending relationships mapped out for testing, it's not likely an error in
any specific implementation here will be discovered until it's too late.

To my understanding, working on the test suite shook these issues out
because they were what caused problems running the test suite at the
interop in the first place. So this is actually a good and healthy part of
the process, and is the natural consequence of the interops. What worked
here for DKIM is insufficient with the nuances of ARC.

What we've been discussing doesn't just guarantee a test suite can be made
that works for everyone (which is huge in itself), but constrains the
problem space for everyone involved in an ARC chain. This is clean and
desirable.

Since the spec isn't finalized, this is the perfect time to impose some
order that isn't necessary for DKIM but is critical when we're talking
about multiple operators working together over multiple hops as part of a
chain of trust.

Seth

-- 

[image: logo for sig file.png]

Bringing Trust to Email

Seth Blank | Head of Product for Open Source and Protocols
seth@valimail.com
+1-415-894-2724 <415-894-2724>

v2.23.0 | Report a Bug | By Email