Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
Hector Santos <hsantos@isdg.net> Fri, 31 May 2019 14:03 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C4CC120025 for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 07:03:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=jTNu8cmV; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=cgd1yvKS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HdKLcRGu_Duw for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 07:03:32 -0700 (PDT)
Received: from mail.winserver.com (mail.santronics.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id CFCE112006F for <dmarc@ietf.org>; Fri, 31 May 2019 07:03:31 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=7515; t=1559311408; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=avLvaFZz/zxEvdlk5EfB9Qq/ZxQ=; b=jTNu8cmVWA603y3BhM/Rsv3oJ2B81WvMaR0yazmrm3W0mTW7tiZqvoGtzSY2Is O9+dW+CoFqpBHTkIigOZHVB3AjuscLERi9YQbkrScbDOa47uOdKX+9iIq5gRzasv WJIMHYPKejfzdeYPbEfYamgNUHmikDDdYeuc1CuYlAg+w=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Fri, 31 May 2019 10:03:28 -0400
Authentication-Results: dkim.winserver.com; dkim=fail (DKIM_SELECTOR_DNS_PERM_FAILURE) header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 103848868.58212.4256; Fri, 31 May 2019 10:03:17 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=7515; t=1559311221; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=OBRfXKu 44ck1i3ZMvsfRWVmiN6YZLnBw9t/0tYpEQC4=; b=cgd1yvKSPjCaUqPzDC49Q1k jqos53365/W+F0zdMmLmdx0ksx93YB9QXwVk1zjOhzhjKepZeYzt8J1puTu8jBcQ oohZ/SLbtiV/Ggyuh4HyJx60ScMUEuj7/q6yiT83Ar4TRn8CImmYu71AwbPnwXqq u7NQpnZvSwzn59DDX5RA=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Fri, 31 May 2019 10:00:21 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 1676077223.9.169128; Fri, 31 May 2019 10:00:21 -0400
Message-ID: <5CF13428.5000204@isdg.net>
Date: Fri, 31 May 2019 10:03:20 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Doug Foster <fosterd@bayviewphysicians.com>
CC: 'IETF DMARC WG' <dmarc@ietf.org>
References: <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> <20190526144848.08A772014A0BF4@ary.qy> <CAL0qLwbxwLTpgYJN9qBTzi2oN1EMvAYuNoDbw5Rx5W46-WNyLA@mail.gmail.com> <alpine.OSX.2.21.9999.1905301712140.76792@ary.qy> <c559a331d90b49eba5b5f6e35ff4774a@bayviewphysicians.com> <1931a4e4-7112-56ae-24e6-b138466392b4@dcrocker.net> <000001d517a9$8c4f5960$a4ee0c20$@bayviewphysicians.com>
In-Reply-To: <000001d517a9$8c4f5960$a4ee0c20$@bayviewphysicians.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/6cJPqajGOSW57C8vUakEbHwhwF4>
Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 14:03:36 -0000
On 5/31/2019 8:08 AM, Doug Foster wrote:> >Tactically, what I meant was "IETF should be able to ensure that IETF > messages are only released with verifiable IETF signatures". > > This would mean that either the first signature is not applied, the message > is not altered after the first signature is applied, or the first signature > is removed after the message is altered. The current configuration leaves > open the suspicion that IETF has rogue software operating in its > environment. I am aware that the DKIM specification says to treat an > unverifiable signature as a non-signature. This is not a sufficient reason > to release your own organization's signatures onto the internet when you can > or should know that they will fail validation. If I may. In principle, I agree the IETF should be the "poster-boy" of the technologies and methods it helps engineer. Unfortunately, it is an ideal concept but not always practical nor possible to implement the proposals. In fact, with DKIM, there is a standard base but with the DKIM POLICY model, there is no standard. DMARC is not a proposed standard. It is an Informational Status document, meaning, it really has no "power." You can try to throw "the book" at someone's face for non-compliance and will throw it right back saying "its not a standard. I don't have to follow it." So that is one thing that needs to be corrected. There is only one simple reason why DMARC was introduced as an Informational Status guide. Under this status, it would not have to go through IETF engineering and review process. There was a period a few years back where this Info Status method was used to "fast track" documents. If DMARC was introduced as a proposed standard, it would of, undoubtedly, had a rough time getting endorsed, especially since the IETF was just told to abandoned ADSP for problems DMARC never resolved. DMARC came after many years with earlier versions of DKIM Policy proposed methods with many heated discussions between Policy Model advocates and Non-Policy Trust Model advocates. History of DKIM Policy (as I lived it): Before DKIM, there was Domainkeys (DKEYS) and DKEYS introduced the powerful concept of Signature Policy with the "o=" tag: o = Outbound Signing policy ("-" means that this domain signs all email, "~" is the default and means that this domain may sign some email with DomainKeys). So you had two Policy options: o=- Exclusive Signing. Mail is always signed. o=~ Neutral, Maybe you signed, maybe you didn't. This was a powerful new concept and many people, the news rags, got really excited about it because for the first time, we had a deterministic method to reject mail based on a published rules by the domain on what to expect. SPF offered this too via the hard -ALL fail policy which was catching on with more domains using -ALL. I expected the same would happen with DKIM Policy. In fact, DKEYS was viewed as a replacement for SPF because SPF had the "Node IP Transition" problem in multi-hops. With Domain Signature Policies, ideally, we could avoid the SPF IP problem. If the domain said "My Mail MUST be signed by Me" and the mail was in fact, not signed or was invalid, then the receiver had a new gained power and permission by the domain to reject/filter mail with no questions asked. In other words, it was no longer censorship. We were given the legal power to reject based on what the DOMAIN publicly published. SPF and DKIM Policy were the only protocols to offer this to mail developers. But what about 3rd party signatures? What if other domains signed on your behalf? What about List serves? Can we publish some rules about 3rd party signers? Following DKEYS lead, DKIM was introduced with extended "o=" policies called SSP (Sender Signature Policies or Practices). After much WG discussions, they were summarized: DKIM-SSP/WG Proposed Policies o=- STRONG (1s party signature required, 3rd party allowed?) o=~ NEUTRAL (signature optional, 3rd party allowed) o=! EXCLUSIVE (signature required, no 3rd party) o=? WEAK (signature optional, no 3rd party) o=. NEVER (no mail expected) o=^ USER One of the questions with DKEYS "o=-" was if it supported a 3rd party signature. Did the domain expect it to be routed via middle ware with additional signatures? The tag "o=!: was introduced to clear up that question, making it an exclusive, restrictive signing practice. But we also worked on how we can authorize a 3rd party and that was where little agreement could be reached. We could not agree on what the ser Policy (o=^) would be. How will that lower granularity of authorization work? How would we deterministically trust a list server resigning a message that will break the 1st party signature? This complexity is the reason early DKIM drafts was split into DKIM-BASE and DKIM-POLICY using SSP, but SSP was replaced with ADSP which reduced the policies to just: DKIM=DISCARDABLE DKIM=ALL effectively attempting to remove the 3rd party signature issues. Unfortunately, while it tried to get systems to ignore the 3rd party question, the reality was when a list submission occurred, the receivers would reject the invalid signatures and now the process of unsubscribing list members when the distribution failed at the receivers. We didn't see occured with ADSP but we knew it can happen. Not many receivers, if any, were yet supporting or honoring ADSP and certainly none of the List Servers supported policy. So it did what it always did. This was the main reason ADSP, a Proposed Standard, was abandoned. But ironically, DMARC replaced ADSP as an informational status document for avoid the IETF engineering process. It did not address the ADSP problem. I think people wanted the reporting part of it to learn the reasons and locations of failure/rejects. But DMARC, as we all well know, has the same problem and once receivers began to honor it and domains began to use DMARC p=reject, we began to see the problems we always expected could happen and it did - big time when Yahoo.com published the DMARC p=reject policy. Nonetheless, DMARC took off. The reason why it took off was because since day one, since DomainKeys invented it, we could not remove that powerful concept of Exclusive DKIM Policy Signature models where we have a permissible mechanism to reject/discard mail. That is a powerful concept and it only has a problem with the 3rd party signatures that we have refused to tackle in earnest. Stepping back to the 3rd party authorization design need. There is/was a 3rd party signature authorization proposal called ATPS (Authorized Third Party Signature). This is a simple mechanism that allowed you to published which 3rd party domains are allowed to sign on your behalf. My package supports ADSP+ATPS and now DMARC+ATPS. ATPS works. You can create records using these wizards: http://www.winserver.com/public/wcadsp http://www.winserver.com/public/wcdmarc So there you go. Short history as I lived it. I've been involved with this whole thing since day one. I am firm believer in the DKIM POLICY model. The concept is too strong and "it's scary" as one prominent person here once put it, and I think one day, we will finally figure it out. I just hope we don't waste too much time with ARC. Hector Santos, CTO Santronics Software, Inc. http://www.santronics.com -- HLS
- [dmarc-ietf] Debugging and preventing DKIM failur… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Дилян Палаузов
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Murray S. Kucherawy
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dotzero
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Doug Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Elizabeth Zwicky
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Stan Kalisch