IETF Logo Mail Archive

[dmarc-ietf] Re: What do do with ARC, Re: Discussion Thread

"John R. Levine" <johnl@iecc.com> Sun, 27 October 2024 20:16 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D9E8C14F60D for <dmarc@ietfa.amsl.com>; Sun, 27 Oct 2024 13:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mpL1S-_rRO5 for <dmarc@ietfa.amsl.com>; Sun, 27 Oct 2024 13:16:47 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31BF9C14F5F8 for <dmarc@ietf.org>; Sun, 27 Oct 2024 13:16:46 -0700 (PDT)
Received: (qmail 21236 invoked from network); 27 Oct 2024 20:16:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=52f2671e9fad.k2410; t=1730060195; x=1730405795; bh=UcIWaIuFnAgV1wVfAJKO+O3KcRUcjmd+fWsTHQFAGpk=; b=CgqqdBlXSKaFRYLesAOTGdwOJ8kbAJdqMXNM4ZnWzddzfYE71TW/G3VCZqMuIzS0W7DokX22n16NnNkeyixsgwWabaFS4NXkKPMoeuOXzIs9xbNhuyYR+HqMTuiJQZeMuc1t9GK9yNhsJyBWn/5lsjQ6YFHdKqUm6xzdL+NeDKyzLRBizMgMQqhPN5v1VxgnQVmOETdu4smb4EdPiEFtDicKAzWt6cIyVX2UEiXAtrBxm4qRZVu101PiaGQil+FdMMBKw1d7qeygtMRiT7ql4SFHMpzn+fVZZGhR16BegFoiLjQpkcrYH7lheigssGRzibdzu3VakDMkvXNt4VmtAw==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 27 Oct 2024 20:16:44 -0000
Received: by ary.qy (Postfix, from userid 501) id 3E04CA3ABEE5; Sun, 27 Oct 2024 16:16:43 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 99D2DA3ABEC7; Sun, 27 Oct 2024 16:16:43 -0400 (EDT)
Date: Sun, 27 Oct 2024 16:16:43 -0400
Message-ID: <837c6e10-cf14-8d10-a5ea-c9bd7cc43b5a@iecc.com>
From: "John R. Levine" <johnl@iecc.com>
To: Tero Kivinen <kivinen@iki.fi>
X-X-Sender: johnl@ary.qy
In-Reply-To: <26398.39036.299187.97077@fireball.acr.fi>
References: <CAHej_8=Gs0XURT4UVrKxxfc45BtVDmPRgGT9rvxDHBbzbd-0bw@mail.gmail.com> <21B7963C-1CBC-4017-98D7-77749FDA6B3E@bluepopcorn.net> <CAL0qLwYqrf=G2ws1e05EUS2JSaU=KyhcXF8OUJ5aXV4nvKXVFA@mail.gmail.com> <bbfe0737-b8af-412c-9d98-a31c29b8c175@crash.com> <CAL0qLwYqMyUtFcmTFs8HOwjPnt_0VN2UxpuwXbYwpOc5JgtfgQ@mail.gmail.com> <20241024221344.26C84A326945@ary.qy> <df9b2e0f-f7cb-4346-a2d0-0f55be92e8f2@tana.it> <084985fb-5bcd-1acf-e73c-358690f49f3a@taugh.com> <ef05185f-71ef-451d-87ec-ec0943b5fe72@tana.it> <43f5078a-0873-d22a-b529-8112de51c7ca@taugh.com> <3c6cb525-b0c0-4fed-9207-bb1b841fde9b@tana.it> <CAL0qLwbitDNYra61SFR=-hJuMDvm9WwLLc_NKhDLOTEV9UcgrQ@mail.gmail.com> <ea436117-f93a-dc99-394d-e2f4eae09a02@taugh.com> <RjYH+xcRhSHnFAu7@highwayman.com> <26397.38204.564597.374262@fireball.acr.fi> <WvgG9Tty+iHnFAP5@highwayman.com> <26398.20320.975512.417122@fireball.acr.fi> <fe65595a-1f67-837f-37d7-9df0606c375b@iecc.com> <26398.39036.299187.97077@fireball.acr.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-ID-Hash: SZ7N3TUTIPSXEX747L6G2QVWAGTCMLKN
X-Message-ID-Hash: SZ7N3TUTIPSXEX747L6G2QVWAGTCMLKN
X-MailFrom: johnl@iecc.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dmarc.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Richard Clayton <richard@highwayman.com>, dmarc@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dmarc-ietf] Re: What do do with ARC, Re: Discussion Thread
List-Id: "Domain-based Message Authentication, Reporting, and Compliance (DMARC)" <dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/6E89SBnGjgtfs0pmJTjGx3KPUWk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Owner: <mailto:dmarc-owner@ietf.org>
List-Post: <mailto:dmarc@ietf.org>
List-Subscribe: <mailto:dmarc-join@ietf.org>
List-Unsubscribe: <mailto:dmarc-leave@ietf.org>

On Sun, 27 Oct 2024, Tero Kivinen wrote:
> If there is no malicous forwarders, you can just trust the ARC headers
> they put in, and if they said DKIM was valid when it came in, you can
> trust it...

First, I really would encourage you to read Richard's draft, again if you 
already have, because most of this is addressed there.

With ARC you cannot tell whether it's really a forward, so the reputation 
of the forwarder is the only thing you have.

With DKIM2 a malicious forwarder would have to take a signed message sent 
to that forwarder, make changes, and sign it again and send it out.

DKIM2 puts the envelope recipient in the signature so you can't forward 
some random message you found in an archive, you can only forward a 
message sent *to you*, and it has date stamps, so it has to be a message 
sent to you recently.

I suppose some kind of spear phishing would make this worthwhile, but the 
need to start with a recent message sent from someone with a good 
reputation to you makes it a lot harder.

R's,
John

v2.43.4 | Report a Bug | By Email | System Status