IETF Logo Mail Archive

Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt

Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 22 April 2022 02:24 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF09F3A16F0 for <dmarc@ietfa.amsl.com>; Thu, 21 Apr 2022 19:24:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XC10AfbBnTdD for <dmarc@ietfa.amsl.com>; Thu, 21 Apr 2022 19:24:37 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 475BC3A16ED for <dmarc@ietf.org>; Thu, 21 Apr 2022 19:24:37 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id z8so7617526oix.3 for <dmarc@ietf.org>; Thu, 21 Apr 2022 19:24:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=JKPGvG9uwVL72MwFaJ6Y83YSywsg6TjaQAqTWFVvHm8=; b=oGNehXObZUGfmZa/r4TVC+gZ8bggSNeW4lxYIbQGZLlMhk5AUyH4WiQB76MFNfSuJk NkkInK8eTKBrpFG1y0sSurtgNHo3PsWy30/dWfuzv/AJFpJuPWnh1rOe3GPqnvSbnGmC iJPX0LCiJyW3Hu+884cSQbcNAbXV5WUG2Wmte9oeaGAxv+Op5VAxl7jr52eT6o1b8h7J F4E8GQMb/oVsZ4zdSdrR3GlPUoYdU1eWV7kvNMgqK14hj6uoEZSlJN9duqWv1EObymiX 4GG4BB21cWJYWLTOOtc08ugSeCaXrX+xoOqfhL0b0xd7PGIeCRce8hICmjoHBA/rV/Ts cA2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=JKPGvG9uwVL72MwFaJ6Y83YSywsg6TjaQAqTWFVvHm8=; b=AXslWi2cefOYnwJKQrbYJIIULlfhsDeDiaoxVS3/DDwnpSbqCwawV7bNSOV9NkM1L4 iaeJHrqmXzPP6beLil3v/tbxvyIB3KDwcNq0gC5MLHpeEZ+1/FhmljRbwNNDVbY4xby7 Ph3YVkZXUQK66mgDimY+5jLrv8c817UCySgFrM73k1/tiNOWj8juj0OEbH9pIIxfeYmc Y+BajqMVYuCOjG4vCasM43VvbuHNQhgkP85UzoDZJpcR5FGA+l5H2oY7b1/7Ni6P8i6j m1m0YCPOqmL3rd6wfyY+J6kVTrjcr9Hx9FtyTxrhnafNdthrLpbA7v2bUAMbSAaolwjE yvdQ==
X-Gm-Message-State: AOAM531pRVjQN3RP45yWymjjkY5Uq/0MJME8rzya4BsPC9Qu0OYp3ewY JPOi+lWsHePJsH34419du0vIXzaBW/0OKCwUpCM4TBIA
X-Google-Smtp-Source: ABdhPJy0UY9aSAERWUvgJdBywpyp1+Qhzt4UUWOYmquzuk5dBeyjvkXgqRD0F7JduT5CUkicFM2tJR/ELgj/0o50mL0=
X-Received: by 2002:a54:4594:0:b0:322:7c38:bd93 with SMTP id z20-20020a544594000000b003227c38bd93mr5580093oib.58.1650594275899; Thu, 21 Apr 2022 19:24:35 -0700 (PDT)
MIME-Version: 1.0
References: <164925666278.4445.13789431014958416691@ietfa.amsl.com> <1763264.1lysBax9Yy@zini-1880> <CAH48Zfx6K85_zUEZd15jMb7d=atXqkfZiUYRbnVr=VjpG0isjQ@mail.gmail.com> <4212228.nKx5ozAMXs@zini-1880> <CAH48Zfy3D5EBZRT5Y+pHZo2xgKq1XMG-Sw7Rps-mAiDY-CrCtQ@mail.gmail.com> <F260AA61-26E2-4BFD-BACB-01E259B485D7@kitterman.com>
In-Reply-To: <F260AA61-26E2-4BFD-BACB-01E259B485D7@kitterman.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 21 Apr 2022 22:24:26 -0400
Message-ID: <CAH48ZfyYFeZyFnwf1PiciosYbPWSB0dF5tDWshtWza98QkaD8A@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007bbbfb05dd34ed95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/99UfFfQJcSEgvzMWQ-FrBeK4d2o>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 02:24:42 -0000

Yes, there is a fundamental difference between a vulnerability that is
created because of a change in rules, as compared to a design that requires
convincing a third party to act contrary to that parties intended purpose.

But to the problem that you want to solve:

Assume that a savvy email manager is trying to decide whether to embrace
the new design or not.   He is likely to run both algorithms and evaluate
the results.   If the two algorithms produce the same result, he is happy.
 If the DNS produces a lower organization domain, he is happy to accept the
more restrictive alignment scope.

But if the DNS produces a higher organization domain, he is skeptical.   We
need to provide assurance that the located organization domain is in the
same organization as the subdomain FROM address that started the process.
 This is as simple as a policy token which says "no organizational
boundaries below".    An integer seems to make the most sense:

Given an organizational domain of "orgdomain.parentpath"
- OrgsBelow=0 - means the entire subtree is one organization, no
organizational boundaries exist below "orgdomain.parentpath"
- OrgsBelow=1 - this is a registrar domain and the next level down is
registered clients.  "sub1.orgdomain.parentpath" is a separate organization
from "orgdomain.parentpath"
-  OrgsBelow=2 - an organization boundary exists two levels down.
"sub1.orgdomain.parentpath" is part of "orgdomain.parentpath" but
"sub2.sub1.orgdomain.parentpath" is a separate organization.
And so forth.  Based on our analysis, the highest expected value is 3, but
the design is insensitive to the value published.   A very high value like
99 is effectively equivalent to the value 0.

(Optionally, we could specify that OrgsBelow<0 means that there are no
subdomains in the organization, so any appearance of a subdomain is
fraudulent.   This is a stronger repudiation than SP=reject.)

For the vast majority of domains that are not private registries, using
OrgsBelow=0 allows them to be completely free of the PSL.

Organizations that fail to publish this flag will be vulnerable to trust
issues, since a cautious email manager will worry that they may contain a
private registry.    If the evaluator responds to this risk by comparing
the DNS result to the PSL result, and the PSL result is lower, the savvy
evaluator may choose the lower entry.  If this is not what the domain owner
wants, he should publish the OrgsBelow indicator.

Doug Foster

The malicious client of a private registry can no longer attack
unilaterally.  If he manipulates his DMARC settings to direct evaluators to
the registrar's organizational domain, the attack is expected to fail,
either because (a) the registrar publishes OrgsBelow>0, or (b) the
evaluator checks the PSL, gets a lower-level result for the organization
domain, and uses the lower-risk longer domain,

Doug



On Wed, Apr 20, 2022 at 8:40 AM Scott Kitterman <sklist@kitterman.com>
wrote:

> No.  We went through all this before and that's not correct.  Tree walk is
> no worse than the PSL for private registries.  For public registries it is
> in many cases much better.  In many cases IANA has contractual control that
> is much stronger than any management controls in the PSL.
>
> There's nothing the IETF can do to prevent customer hostile registrars
> from doing hostile things.
>
> I think the fundamental error is to assume the PSL is static.  It's not.
>
> In terms of the concerns you've expressed, is there any issue you see with
> the tree walk that isn't equally a problem if the putative hostile
> registrar asks for a change in the PSL?
>
> Scott K
>
> On April 20, 2022 10:56:01 AM UTC, Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
> >This is a fundamental flaw in the design, not a problem to be fixed on a
> >case-by-case basis.
> >
> >Under the tree walk, any private registry client can impersonate the
> parent
> >or a sibling, simply by publishing a non-org DMARC policy and then letting
> >the tree walk proceed into the parent organization.  Yes, the parent
> >organization can prevent this using its own DMARC policy, but it is
> foolish
> >to assume that all of them will.  Wherever the opportunity exists,
> >malicious domain owners can be expected to use it. and the Michael Hammer
> >testimony is that they have already done so when the PSL had an omissioin.
> >
> >Private registries are a significant complication to understanding the
> >effectiveness of DMARC evaluation, and yet the document still does not
> >discuss their existence or their potential security considerations.
> >
> >The case against the PSL has been heavy on generalities but weak on
> >specifics.   The appropriate solution is to use DNS entries to provide a
> >check on PSL mistakes and omissions.   When a DNS entry specifies a lower
> >alignment point (more restrictive relaxed alignment), the evaluator should
> >use the DNS value.   If the PSL specifies a lower alignment point, the DNS
> >entry may be malicious.   So the evaluatror would be wise to use the more
> >restrictive st the PSL entry for an initial message, and then make an
> >investigate to determine if he wants to establish a local policy to trust
> >the higher alignment point in DNS.  When the DNS is being used to validate
> >the PSL rather than replacing it, we have alternate algorithm options
> which
> >are more efficient than a full tree walk.
> >
> >In summary, there is no good reason to discard the PSL completely, and no
> >compelling reason to believe that DNS by itself can ever provide a
> >sufficient solution.
> >
> >.Doug
> >
> >
> >
> >
> >
> >
> >On Tue, Apr 19, 2022 at 11:12 PM Scott Kitterman <sklist@kitterman.com>
> >wrote:
> >
> >> Thanks.
> >>
> >> I think this is pretty much the same list John published before.  I
> think
> >> there is a little bit of outreach to do while we're working on DMARCbis,
> >> but
> >> it's not a major issue.  Some of these are false positives.  As an
> example:
> >>
> >> gov.scot
> >> service.gov.scot
> >>
> >> Are both on the PSL.  It's true that under the new tree walk approach
> >> other
> >> parts of the government of Scotland could impersonate service.gov.scot,
> >> but I
> >> don't think it's a major risk.
> >>
> >> This is part of the reason I'd like to see the WG get an early
> assignment
> >> from
> >> IANA for the psd tag.  Once that's done, we (and I will work on this)
> can
> >> start contacting both the PSL and above PSL entities with DMARC records
> >> about
> >> updating them to use it.  The meantime, any lower level entity for these
> >> PSDs
> >> that has a problem would be able to publish psd=n and stop it.
> >>
> >> Scott K
> >>
> >> On Tuesday, April 19, 2022 8:18:53 PM EDT Douglas Foster wrote:
> >> > Scott asked for my list, so it is attached.   I walked up the tree
> from
> >> the
> >> > private registries, then did a DNS lookup for a DMARC entry.
> >> >  Consequently, the list shows the domains with DMARC policies, at
> >> whatever
> >> > level, rather than the PSL entry itself.
> >> >
> >> > Doug
> >> >
> >> >
> >> > On Tue, Apr 19, 2022 at 12:00 AM Scott Kitterman <
> sklist@kitterman.com>
> >> >
> >> > wrote:
> >> > > On Monday, April 18, 2022 10:14:37 PM EDT Douglas Foster wrote:
> >> > > > Concern 1
> >> > > > Of the several thousand private registry domains listed in the
> PSL,
> >> 45
> >> > > have
> >> > > > DMARC policies at or above the registry point.   40 of these 45
> >> specify
> >> > > > relaxed alignment for both DKIM and SPF.  Upon activation of the
> tree
> >> > > walk,
> >> > > > these policies will be treated as organizational domains to any
> >> private
> >> > > > registry clients that have not published their own psd=y policy.
> >> > >
> >> > >  Because
> >> > > > of relaxed alignment, these private registry clients will be able
> to
> >> > > > impersonate their siblings and parents and produce a DMARC result
> of
> >> > > PASS.
> >> > >
> >> > > Please provide your list of ones you think might be problematic.
> >> > >
> >> > > > Concern 2
> >> > > > Since the longest current PSL entry has 5 segments, the longest
> >> > > > organizational domain is 6 segments.   The "jump to 5" logic needs
> >> to be
> >> > > > changed to "jump to 6".
> >> > >
> >> > > What PSL entries that are 5 long are you worried about?  When we
> >> looked at
> >> > > this before, 5 seemed sufficient.  Changing the number, now, isn't a
> >> big
> >> > > deal.
> >> > >
> >> > > > Concern 3
> >> > > > The "psd=u" language is inconsistent.  Which is true?
> >> > > > "This token indicates that this policy is not an organizational
> >> domain,,
> >> > > > the organizational domain is above this point"
> >> > > > or
> >> > > > "This token indicates no usable information, proceed with the
> >> heuristic
> >> > >
> >> > > to
> >> > >
> >> > > > determine if this policy is the organizational domain"
> >> > >
> >> > > It should be the latter.  If we're inconsistent, please propose
> >> corrected
> >> > > text.
> >> > >
> >> > > Scott K
> >> > >
> >> > > > Doug Foster
> >> > > >
> >> > > > On Sun, Apr 17, 2022 at 4:54 PM Scott Kitterman <
> >> sklist@kitterman.com>
> >> > > >
> >> > > > wrote:
> >> > > > > I've finished going through this and also updated authheaders
> [1]
> >> to
> >> > > > > match.  It
> >> > > > > now has a script called dmarc-policy-find which you can used to
> >> > >
> >> > > determine
> >> > >
> >> > > > > the
> >> > > > > DMARC policy to be applied for a domain.  You can use RFC 7489,
> RFC
> >> > >
> >> > > 7489 +
> >> > >
> >> > > > > RFC
> >> > > > > 9091, and DMARCbis-07.
> >> > > > >
> >> > > > > It does currently cheat and assume psd=y is in the records for
> >> domains
> >> > >
> >> > > on
> >> > >
> >> > > > > the
> >> > > > > PSD DMARC registry list, since no one has actually published
> that
> >> yet.
> >> > > > >
> >> > > > > Scott K
> >> > > > >
> >> > > > > [1] https://github.com/ValiMail/authentication-headers (also on
> >> pypi)
> >> > > > >
> >> > > > > On Wednesday, April 6, 2022 12:27:04 PM EDT Scott Kitterman
> wrote:
> >> > > > > > I believe it does.
> >> > > > > >
> >> > > > > > Thanks,
> >> > > > > >
> >> > > > > > Scott K
> >> > > > > >
> >> > > > > > On April 6, 2022 2:53:59 PM UTC, Todd Herr
> >> > > > >
> >> > > > > <todd.herr=40valimail.com@dmarc.ietf.org> wrote:
> >> > > > > > >I believe this rev has the proposed text that was submitted
> in
> >> > >
> >> > > various
> >> > >
> >> > > > > > >messages in the thread titled "*5.5.4. Publish a DMARC Policy
> >> for
> >> > >
> >> > > the
> >> > >
> >> > > > > > >Author Domain - dmarcbis-06"*
> >> > > > > > >
> >> > > > > > >On Wed, Apr 6, 2022 at 10:51 AM <internet-drafts@ietf.org>
> >> wrote:
> >> > > > > > >> A New Internet-Draft is available from the on-line
> >> > > > > > >> Internet-Drafts
> >> > > > > > >> directories.
> >> > > > > > >> This draft is a work item of the Domain-based Message
> >> > >
> >> > > Authentication,
> >> > >
> >> > > > > > >> Reporting & Conformance WG of the IETF.
> >> > > > > > >>
> >> > > > > > >>         Title           : Domain-based Message
> Authentication,
> >> > > > >
> >> > > > > Reporting,
> >> > > > >
> >> > > > > > >> and Conformance (DMARC)
> >> > > > > > >>
> >> > > > > > >>         Authors         : Todd M. Herr
> >> > > > > > >>
> >> > > > > > >>                           John Levine
> >> > > > > > >>
> >> > > > > > >>         Filename        : draft-ietf-dmarc-dmarcbis-07.txt
> >> > > > > > >>         Pages           : 62
> >> > > > > > >>         Date            : 2022-04-06
> >> > > > > > >>
> >> > > > > > >> Abstract:
> >> > > > > > >>    This document describes the Domain-based Message
> >> > >
> >> > > Authentication,
> >> > >
> >> > > > > > >>    Reporting, and Conformance (DMARC) protocol.
> >> > > > > > >>
> >> > > > > > >>    DMARC permits the owner of an email author's domain
> name to
> >> > >
> >> > > enable
> >> > >
> >> > > > > > >>    verification of the domain's use, to indicate the Domain
> >> > >
> >> > > Owner's
> >> > >
> >> > > > > > >>    or
> >> > > > > > >>    Public Suffix Operator's message handling preference
> >> regarding
> >> > > > >
> >> > > > > failed
> >> > > > >
> >> > > > > > >>    verification, and to request reports about use of the
> >> domain
> >> > >
> >> > > name.
> >> > >
> >> > > > > > >>    Mail receiving organizations can use this information
> when
> >> > > > >
> >> > > > > evaluating
> >> > > > >
> >> > > > > > >>    handling choices for incoming mail.
> >> > > > > > >>
> >> > > > > > >>    This document obsoletes RFC 7489.
> >> > > > > > >>
> >> > > > > > >> The IETF datatracker status page for this draft is:
> >> > > > > > >>
> https://datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis/
> >> > > > > > >>
> >> > > > > > >> There is also an HTML version available at:
> >> > > > > > >>
> >> https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-07.html
> >> > > > > > >>
> >> > > > > > >> A diff from the previous version is available at:
> >> > > > > > >>
> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-dmarcbis-07
> >> > > > > > >>
> >> > > > > > >> Internet-Drafts are also available by rsync at
> rsync.ietf.org
> >> :
> >> > > > > > >> :internet-drafts
> >> > > > > > >>
> >> > > > > > >> _______________________________________________
> >> > > > > > >> dmarc mailing list
> >> > > > > > >> dmarc@ietf.org
> >> > > > > > >> https://www.ietf.org/mailman/listinfo/dmarc
> >> > > > > >
> >> > > > > > _______________________________________________
> >> > > > > > dmarc mailing list
> >> > > > > > dmarc@ietf.org
> >> > > > > > https://www.ietf.org/mailman/listinfo/dmarc
> >> > > > >
> >> > > > > _______________________________________________
> >> > > > > dmarc mailing list
> >> > > > > dmarc@ietf.org
> >> > > > > https://www.ietf.org/mailman/listinfo/dmarc
> >> > >
> >> > > _______________________________________________
> >> > > dmarc mailing list
> >> > > dmarc@ietf.org
> >> > > https://www.ietf.org/mailman/listinfo/dmarc
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> dmarc mailing list
> >> dmarc@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dmarc
> >>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email