Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
"Murray S. Kucherawy" <superuser@gmail.com> Thu, 17 August 2017 18:56 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574051324D2 for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 11:56:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XHS3RrGWxpLd for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 11:56:13 -0700 (PDT)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1409B1325DD for <dmarc@ietf.org>; Thu, 17 Aug 2017 11:56:13 -0700 (PDT)
Received: by mail-qk0-x235.google.com with SMTP id a77so41857000qkb.0 for <dmarc@ietf.org>; Thu, 17 Aug 2017 11:56:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bCWRSzEQNWzDHkLRlLdJ7wBJi8GcyJm4642+MMd67V0=; b=QaMC08z7swc3cnF1A0gld+QHaYQlYHNVrJTLrmGO4tJ8Jh+I9N+xjjgxpkLlzXfVh4 Px/Gwg3vdO7BYlFlOqA0jOKoxjdv7gt9plCwdYEPvYDLMd3BCLWmgd3sRbFxQgRRP3D9 lkWthI/fwAaeoGTUs0wvYpcpqX2+KBpCbaL2rM1JDZzE9vlUbw3tzUSjtFXnoZoPDDSg TzDuqwnN5bb0j+XusOX9Hl1UzDJxWLsMQF4WZobweUKYjgTU0vItqxoUtrqhYaUtVOF4 dD/g5WBBv7LxEyvINUeK9uXcDiO16R2CkpdAgnreejx3WlyvOer0bYCmNpIY19Wt5OSw LNzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bCWRSzEQNWzDHkLRlLdJ7wBJi8GcyJm4642+MMd67V0=; b=m9I0RIcXyeuHWb76AgVMXB7mn1ssx8G/IxetbpxKw/Tdzpna2NWYhHZU4PSH/VwI8/ PgiOinm3AMl0vQtEMwk0T4Q+/P2MYPZhMr0DPAM2wSX6U+ia/gtC8EzVjD+7MPLHQo4i w5CZ98YaH5+o6sWphvh+7Sza+SQkerZVEj5RT96Sl9SN9c+bwV7xkpplVO5k99zl3u36 cHljSYixjx0iCsxhhC1XjIYj2BMYyAn2xSX6/F1B1Rz6MA1iSdSkJW9HAEiXJ0Vsjrb8 JcvB82QDTzYcXA02Pi4z8XLjFUlgsBBUeg+DeJmsJlKAN4t1t42bVoqZXlETWFb5RvIr LTmg==
X-Gm-Message-State: AHYfb5g6lZClEhqlj4UU7BFU6ohDtL3w77KDIn84O7Bkceh3C7OIFf3Y KC+zORwjsFJMf22mTWA0WJGQ5muEE/Ex
X-Received: by 10.55.118.71 with SMTP id r68mr8116015qkc.234.1502996172127; Thu, 17 Aug 2017 11:56:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.57.34 with HTTP; Thu, 17 Aug 2017 11:56:11 -0700 (PDT)
In-Reply-To: <1502957343.3548792.1076152832.1FEB1A8C@webmail.messagingengine.com>
References: <1502957343.3548792.1076152832.1FEB1A8C@webmail.messagingengine.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 17 Aug 2017 11:56:11 -0700
Message-ID: <CAL0qLwY9Wm-8N8A2On3B8T85Q5PsmA3mFm1BSpyX7n9VSa0hDw@mail.gmail.com>
To: Bron Gondwana <brong@fastmailteam.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c05f7e6f045bf0556f790a3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/7-aMq_BVgf-GXZYD6N4DBeVGA-M>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 18:56:15 -0000
On Thu, Aug 17, 2017 at 1:09 AM, Bron Gondwana <brong@fastmailteam.com> wrote: > On Thu, 17 Aug 2017, at 15:28, Murray S. Kucherawy wrote: > > On Wed, Aug 16, 2017 at 5:47 PM, Bron Gondwana <brong@fastmailteam.com> > wrote: > > While there exists A SINGLE SITE which is ARC-unaware and DMARC p=reject > aware, you can't use ARC on a DMARC p=reject domain without rewriting the > sender. Otherwise that site will bounce the email. > > > Goodness, it's a wonder that we've ever successfully deployed anything > incremental around here. ;-) > -MSK > > > I laugh as well, but it's more than p=reject isn't enough in the ARC > world, because it doesn't distinguish between: > a) I'm OK with email from my domain being sent via mailing lists; and > b) no, this domain is only ever used for direct messages, it should never > appear in ARC chains that don't also pass DKIM. > > The existing behaviour of p=reject is (b) for receivers that don't support > ARC - so the question becomes: are we defining ARC to changing the > behaviour of p=reject to (a)? If so, will we define a different (b) later, > when we could instead have > defined a different p= for (a). > My point is that the "SINGLE SITE" posture is absurd. In all likelihood there are still some MTAs out there that don't implement ESMTP and nothing has melted. We should fully expect things to roll out gradually, as they always have. Anyone planning for a flag day should speak up now so we can disabuse them (and, of course, abuse them). If the success of DMARC depends on 100% deployment of ARC, we may as well pack up and go home now. It'll never happen. I support the idea of trying ARC even in the form you claim includes superfluous operations. (For the record, I find your technical argument compelling.) If after a period of experimentation and data collecting we find that the seal is not itself useful, we can negotiate a reduced form and try that. If you really want to prove your point sooner, implement both, run them for a while, and publish the results. But given that there are interoperating implementations now, I think there's enough to be learned from the experiment to continue from here rather than reset. -MSK
- [dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos