IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Brandon Long <blong@google.com> Fri, 03 August 2018 18:00 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E4ED13108C for <dmarc@ietfa.amsl.com>; Fri, 3 Aug 2018 11:00:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.509
X-Spam-Level:
X-Spam-Status: No, score=-17.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YJOHEmd2Q-YI for <dmarc@ietfa.amsl.com>; Fri, 3 Aug 2018 11:00:33 -0700 (PDT)
Received: from mail-yb0-x233.google.com (mail-yb0-x233.google.com [IPv6:2607:f8b0:4002:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4A1E131084 for <dmarc@ietf.org>; Fri, 3 Aug 2018 11:00:33 -0700 (PDT)
Received: by mail-yb0-x233.google.com with SMTP id i9-v6so2964299ybo.5 for <dmarc@ietf.org>; Fri, 03 Aug 2018 11:00:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SO3PkzrKgDhIAFsWgucJ6yGTc390+Q0S8c9w6C1gD1A=; b=khar2lqcUZD9m1ZIJhWQOw1VL3uFqNwzQlUhOti4kwsORJmzObi91QYnNsVhcmpJhr 7fNiN+NKEhiTSdyG7M8/fXQBCprhZWCLTcmsyDGXd+bhDODBGh/iFwoBsDdsgUla/ekk Hde3PDdoxYxYPuZGBEMCPEy8Dq1YpGy2ycWwGWNlsO3rFxDXqXGebRXoOpj+/7PIbxtO 0FQYzpgk0EUoNAmMT3VttpWFNmN8+euOr8yWt+7/HVv7UJ6oKWUsA/R8uHtwfWBMzo3i sXWNVTG4qDVJeYo88465qtpNG/R8KNSFGIbmW5ganrNxWJaQ/KRhN5+PO40Fo7JazgZL rr8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SO3PkzrKgDhIAFsWgucJ6yGTc390+Q0S8c9w6C1gD1A=; b=RwiIITi4RacZx/6tJlW/+MAywTMWmSCVcUUfhyJ17R/C651G02C1bIqhQWSPUt0YmM mfOl0bJ5WK4Gw+/pu8dokBvja81dgpxPysVln8lKfvz+LE0s66O4AgAmTBfD+ItRpYZY cGQ/0Wv4t24cei3yL8bc+skjFo0erjlCq+ntaHZ8pmFhYeWJF4wEboPwQeKJExhGZCh3 HZpwrWB79oqf/wvrO6DekMEOTuXzEHn5GEKFQxzJeCOH6/zBmBmk3gi+Eo/zGzTbl2N3 xywRIHhqdePoSecs6WoVNBa532NicIvgO0rXMWKLcFyFMUkkuj9xMWxlDBn6RzDtjgXA TOmQ==
X-Gm-Message-State: AOUpUlGEt0//HhQDha2mfbJbv2x1whI4QI/anoe/J/llJ0qkeMV3eAQG d2pYfLPV+XDTRqsRPIXIcZ8RtlXO3jxdokcdsCccmo0=
X-Google-Smtp-Source: AAOMgpcwhkE+HQE0V67vq01QtOvsNZtWObBjuc53vT9/yEYr5DvTUgcvZKtjIQ4vZkZ6mFXO3AbA5pEYeQHkqOI8WjI=
X-Received: by 2002:a25:860a:: with SMTP id y10-v6mr2573191ybk.327.1533319232210; Fri, 03 Aug 2018 11:00:32 -0700 (PDT)
MIME-Version: 1.0
References: <CAD2i3WNSe+of7U8fdTnmUeU3sthUbpEVgdYHT9J6BgLxoeOL3w@mail.gmail.com> <20180730221726.713CE200316625@ary.qy> <CAD2i3WMvCugRm4KZeLx3PFb6f_pKR3rs4mnH2FZO4_X7ZA7GHA@mail.gmail.com> <alpine.OSX.2.21.1807302025420.60501@ary.qy> <CABa8R6sWSu9Q+mozxzaVGab3PE2zxqVmt4L6FERSLC1oDTh1oA@mail.gmail.com> <alpine.OSX.2.21.1808031352460.29088@ary.qy>
In-Reply-To: <alpine.OSX.2.21.1808031352460.29088@ary.qy>
From: Brandon Long <blong@google.com>
Date: Fri, 03 Aug 2018 11:00:18 -0700
Message-ID: <CABa8R6u_09D9BNiq3fXDXjPVfFeZxHtRa0NyLamKyj033xO72A@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002a9ab905728bb463"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/8UQDH6dq6moLRd8Q9uWg8IJvSs0>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 18:00:36 -0000

Currently, we don't do anything with failed chains short of keeping stats.
Everything we've used the chain for so far has been from passing chains.

That said, we still only trust our own chain elements, we haven't seen wide
enough adoption to spend much effort on interpreting chains which
involve multiple parties.

Brandon

On Fri, Aug 3, 2018 at 10:54 AM John R Levine <johnl@taugh.com> wrote:

> > I know I lost the argument on cv (I think cv is entirely superfluous and
> > there's no point adding/signing a cv=fail header), but it seems the
> > argument for that is more data.  That said, this "either or" signing set
> > thing on cv=fail seems pretty cumbersome.
>
> You guys have looked at as many ARC signatures as anyone.  Once the chain
> has a cv=fail do you learn anything useful from further seals?
>
> R's,
> John
>
> >> In 5.2, oldest pass is confusing, since it doesn't tell you whether
> >> the validation succeeds or not.  I would take out steps 5-7 and add
> >> something to the INFORMATIONAL at the end like "A validator can check
> >> the AMS headers to estimate when in a chain of forwards the message
> >> was modified."
>

v2.23.0 | Report a Bug | By Email