Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt
Scott Kitterman <sklist@kitterman.com> Fri, 22 April 2022 03:58 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9964E3A0D71 for <dmarc@ietfa.amsl.com>; Thu, 21 Apr 2022 20:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=R+PHyFrQ; dkim=pass (2048-bit key) header.d=kitterman.com header.b=ot8tu82V
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mwags6509XtR for <dmarc@ietfa.amsl.com>; Thu, 21 Apr 2022 20:58:50 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E292E3A0D79 for <dmarc@ietf.org>; Thu, 21 Apr 2022 20:58:49 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 39A45F80259 for <dmarc@ietf.org>; Thu, 21 Apr 2022 23:58:46 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1650599926; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=Vwd9v9Dgz8KjJjWjeOpHdqM/R315d47XULvdn6mv8Eg=; b=R+PHyFrQsm7QKONTtM+wiqQqV8xJxMgEcLLgGBXIyZAEzA2laG7D8i+ABdi5Wbl+lC/bP RH9XQ1lVyclgOQFCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1650599926; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=Vwd9v9Dgz8KjJjWjeOpHdqM/R315d47XULvdn6mv8Eg=; b=ot8tu82VND2Skh6ibJGG9p8EtzLZR4MOyHAe3NKxVo5vTEpsz0WKT18Ay9xQBEBZP1b9K COIs027YY7DbXOqIU02X1NYgHqgzVPJUnT4MxegyDA+nZ08GQbazY3qyN0R/UZConRSMXah 1r+Jvk9e8rfSc4BVEVn0N6ya+UP7DXNTRQ+3hOAEO9orXfGj5e28GjDdFee+lelzqU/NCPA DhK/gOjWLiwpgqN74j3fme47VxHj8tTksfv31lZgQvyAUcoTYptXzchjU1pdiuLSe8JXgl9 0U1Rv4gkwdQUSg0F4j63hB1Lb7Z7VNm6ZhsrRX3W66ICzIGG69ZIFiT/3cXw==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 1AED4F801D4 for <dmarc@ietf.org>; Thu, 21 Apr 2022 23:58:46 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Thu, 21 Apr 2022 23:58:45 -0400
Message-ID: <86875642.IaSduBSSv9@zini-1880>
In-Reply-To: <CAH48ZfyYFeZyFnwf1PiciosYbPWSB0dF5tDWshtWza98QkaD8A@mail.gmail.com>
References: <164925666278.4445.13789431014958416691@ietfa.amsl.com> <F260AA61-26E2-4BFD-BACB-01E259B485D7@kitterman.com> <CAH48ZfyYFeZyFnwf1PiciosYbPWSB0dF5tDWshtWza98QkaD8A@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9d4Ge3rzFlglXl1jp9I_iw9gC7o>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2022 03:58:55 -0000
What would be the benefit of all this extra complexity? What does a domain with an unhelpful PSD get over publishing psd=n based on the current draft? I think there's some small chance of the problem I think you are describing occurring, but I believe we've addressed it already in a much simpler way. Scott K On Thursday, April 21, 2022 10:24:26 PM EDT Douglas Foster wrote: > Yes, there is a fundamental difference between a vulnerability that is > created because of a change in rules, as compared to a design that requires > convincing a third party to act contrary to that parties intended purpose. > > But to the problem that you want to solve: > > Assume that a savvy email manager is trying to decide whether to embrace > the new design or not. He is likely to run both algorithms and evaluate > the results. If the two algorithms produce the same result, he is happy. > If the DNS produces a lower organization domain, he is happy to accept the > more restrictive alignment scope. > > But if the DNS produces a higher organization domain, he is skeptical. We > need to provide assurance that the located organization domain is in the > same organization as the subdomain FROM address that started the process. > This is as simple as a policy token which says "no organizational > boundaries below". An integer seems to make the most sense: > > Given an organizational domain of "orgdomain.parentpath" > - OrgsBelow=0 - means the entire subtree is one organization, no > organizational boundaries exist below "orgdomain.parentpath" > - OrgsBelow=1 - this is a registrar domain and the next level down is > registered clients. "sub1.orgdomain.parentpath" is a separate organization > from "orgdomain.parentpath" > - OrgsBelow=2 - an organization boundary exists two levels down. > "sub1.orgdomain.parentpath" is part of "orgdomain.parentpath" but > "sub2.sub1.orgdomain.parentpath" is a separate organization. > And so forth. Based on our analysis, the highest expected value is 3, but > the design is insensitive to the value published. A very high value like > 99 is effectively equivalent to the value 0. > > (Optionally, we could specify that OrgsBelow<0 means that there are no > subdomains in the organization, so any appearance of a subdomain is > fraudulent. This is a stronger repudiation than SP=reject.) > > For the vast majority of domains that are not private registries, using > OrgsBelow=0 allows them to be completely free of the PSL. > > Organizations that fail to publish this flag will be vulnerable to trust > issues, since a cautious email manager will worry that they may contain a > private registry. If the evaluator responds to this risk by comparing > the DNS result to the PSL result, and the PSL result is lower, the savvy > evaluator may choose the lower entry. If this is not what the domain owner > wants, he should publish the OrgsBelow indicator. > > Doug Foster > > The malicious client of a private registry can no longer attack > unilaterally. If he manipulates his DMARC settings to direct evaluators to > the registrar's organizational domain, the attack is expected to fail, > either because (a) the registrar publishes OrgsBelow>0, or (b) the > evaluator checks the PSL, gets a lower-level result for the organization > domain, and uses the lower-risk longer domain, > > Doug > > > > On Wed, Apr 20, 2022 at 8:40 AM Scott Kitterman <sklist@kitterman.com> > > wrote: > > No. We went through all this before and that's not correct. Tree walk is > > no worse than the PSL for private registries. For public registries it is > > in many cases much better. In many cases IANA has contractual control > > that > > is much stronger than any management controls in the PSL. > > > > There's nothing the IETF can do to prevent customer hostile registrars > > from doing hostile things. > > > > I think the fundamental error is to assume the PSL is static. It's not. > > > > In terms of the concerns you've expressed, is there any issue you see with > > the tree walk that isn't equally a problem if the putative hostile > > registrar asks for a change in the PSL? > > > > Scott K > > > > On April 20, 2022 10:56:01 AM UTC, Douglas Foster < > > > > dougfoster.emailstandards@gmail.com> wrote: > > >This is a fundamental flaw in the design, not a problem to be fixed on a > > >case-by-case basis. > > > > > >Under the tree walk, any private registry client can impersonate the > > > > parent > > > > >or a sibling, simply by publishing a non-org DMARC policy and then > > >letting > > >the tree walk proceed into the parent organization. Yes, the parent > > >organization can prevent this using its own DMARC policy, but it is > > > > foolish > > > > >to assume that all of them will. Wherever the opportunity exists, > > >malicious domain owners can be expected to use it. and the Michael Hammer > > >testimony is that they have already done so when the PSL had an > > >omissioin. > > > > > >Private registries are a significant complication to understanding the > > >effectiveness of DMARC evaluation, and yet the document still does not > > >discuss their existence or their potential security considerations. > > > > > >The case against the PSL has been heavy on generalities but weak on > > >specifics. The appropriate solution is to use DNS entries to provide a > > >check on PSL mistakes and omissions. When a DNS entry specifies a lower > > >alignment point (more restrictive relaxed alignment), the evaluator > > >should > > >use the DNS value. If the PSL specifies a lower alignment point, the > > >DNS > > >entry may be malicious. So the evaluatror would be wise to use the more > > >restrictive st the PSL entry for an initial message, and then make an > > >investigate to determine if he wants to establish a local policy to trust > > >the higher alignment point in DNS. When the DNS is being used to > > >validate > > >the PSL rather than replacing it, we have alternate algorithm options > > > > which > > > > >are more efficient than a full tree walk. > > > > > >In summary, there is no good reason to discard the PSL completely, and no > > >compelling reason to believe that DNS by itself can ever provide a > > >sufficient solution. > > > > > >.Doug > > > > > > > > > > > > > > > > > > > > >On Tue, Apr 19, 2022 at 11:12 PM Scott Kitterman <sklist@kitterman.com> > > > > > >wrote: > > >> Thanks. > > >> > > >> I think this is pretty much the same list John published before. I > > > > think > > > > >> there is a little bit of outreach to do while we're working on > > >> DMARCbis, > > >> but > > >> it's not a major issue. Some of these are false positives. As an > > > > example: > > >> gov.scot > > >> service.gov.scot > > >> > > >> Are both on the PSL. It's true that under the new tree walk approach > > >> other > > >> parts of the government of Scotland could impersonate service.gov.scot, > > >> but I > > >> don't think it's a major risk. > > >> > > >> This is part of the reason I'd like to see the WG get an early > > > > assignment > > > > >> from > > >> IANA for the psd tag. Once that's done, we (and I will work on this) > > > > can > > > > >> start contacting both the PSL and above PSL entities with DMARC records > > >> about > > >> updating them to use it. The meantime, any lower level entity for > > >> these > > >> PSDs > > >> that has a problem would be able to publish psd=n and stop it. > > >> > > >> Scott K > > >> > > >> On Tuesday, April 19, 2022 8:18:53 PM EDT Douglas Foster wrote: > > >> > Scott asked for my list, so it is attached. I walked up the tree > > > > from > > > > >> the > > >> > > >> > private registries, then did a DNS lookup for a DMARC entry. > > >> > > > >> > Consequently, the list shows the domains with DMARC policies, at > > >> > > >> whatever > > >> > > >> > level, rather than the PSL entry itself. > > >> > > > >> > Doug > > >> > > > >> > > > >> > On Tue, Apr 19, 2022 at 12:00 AM Scott Kitterman < > > > > sklist@kitterman.com> > > > > >> > wrote: > > >> > > On Monday, April 18, 2022 10:14:37 PM EDT Douglas Foster wrote: > > >> > > > Concern 1 > > >> > > > Of the several thousand private registry domains listed in the > > > > PSL, > > > > >> 45 > > >> > > >> > > have > > >> > > > > >> > > > DMARC policies at or above the registry point. 40 of these 45 > > >> > > >> specify > > >> > > >> > > > relaxed alignment for both DKIM and SPF. Upon activation of the > > > > tree > > > > >> > > walk, > > >> > > > > >> > > > these policies will be treated as organizational domains to any > > >> > > >> private > > >> > > >> > > > registry clients that have not published their own psd=y policy. > > >> > > > > >> > > Because > > >> > > > > >> > > > of relaxed alignment, these private registry clients will be able > > > > to > > > > >> > > > impersonate their siblings and parents and produce a DMARC result > > > > of > > > > >> > > PASS. > > >> > > > > >> > > Please provide your list of ones you think might be problematic. > > >> > > > > >> > > > Concern 2 > > >> > > > Since the longest current PSL entry has 5 segments, the longest > > >> > > > organizational domain is 6 segments. The "jump to 5" logic > > >> > > > needs > > >> > > >> to be > > >> > > >> > > > changed to "jump to 6". > > >> > > > > >> > > What PSL entries that are 5 long are you worried about? When we > > >> > > >> looked at > > >> > > >> > > this before, 5 seemed sufficient. Changing the number, now, isn't > > >> > > a > > >> > > >> big > > >> > > >> > > deal. > > >> > > > > >> > > > Concern 3 > > >> > > > The "psd=u" language is inconsistent. Which is true? > > >> > > > "This token indicates that this policy is not an organizational > > >> > > >> domain,, > > >> > > >> > > > the organizational domain is above this point" > > >> > > > or > > >> > > > "This token indicates no usable information, proceed with the > > >> > > >> heuristic > > >> > > >> > > to > > >> > > > > >> > > > determine if this policy is the organizational domain" > > >> > > > > >> > > It should be the latter. If we're inconsistent, please propose > > >> > > >> corrected > > >> > > >> > > text. > > >> > > > > >> > > Scott K > > >> > > > > >> > > > Doug Foster > > >> > > > > > >> > > > On Sun, Apr 17, 2022 at 4:54 PM Scott Kitterman < > > >> > > >> sklist@kitterman.com> > > >> > > >> > > > wrote: > > >> > > > > I've finished going through this and also updated authheaders > > > > [1] > > > > >> to > > >> > > >> > > > > match. It > > >> > > > > now has a script called dmarc-policy-find which you can used to > > >> > > > > >> > > determine > > >> > > > > >> > > > > the > > >> > > > > DMARC policy to be applied for a domain. You can use RFC 7489, > > > > RFC > > > > >> > > 7489 + > > >> > > > > >> > > > > RFC > > >> > > > > 9091, and DMARCbis-07. > > >> > > > > > > >> > > > > It does currently cheat and assume psd=y is in the records for > > >> > > >> domains > > >> > > >> > > on > > >> > > > > >> > > > > the > > >> > > > > PSD DMARC registry list, since no one has actually published > > > > that > > > > >> yet. > > >> > > >> > > > > Scott K > > >> > > > > > > >> > > > > [1] https://github.com/ValiMail/authentication-headers (also on > > >> > > >> pypi) > > >> > > >> > > > > On Wednesday, April 6, 2022 12:27:04 PM EDT Scott Kitterman > > > > wrote: > > >> > > > > > I believe it does. > > >> > > > > > > > >> > > > > > Thanks, > > >> > > > > > > > >> > > > > > Scott K > > >> > > > > > > > >> > > > > > On April 6, 2022 2:53:59 PM UTC, Todd Herr > > >> > > > > > > >> > > > > <todd.herr=40valimail.com@dmarc.ietf.org> wrote: > > >> > > > > > >I believe this rev has the proposed text that was submitted > > > > in > > > > >> > > various > > >> > > > > >> > > > > > >messages in the thread titled "*5.5.4. Publish a DMARC > > >> > > > > > >Policy > > >> > > >> for > > >> > > >> > > the > > >> > > > > >> > > > > > >Author Domain - dmarcbis-06"* > > >> > > > > > > > > >> > > > > > >On Wed, Apr 6, 2022 at 10:51 AM <internet-drafts@ietf.org> > > >> > > >> wrote: > > >> > > > > > >> A New Internet-Draft is available from the on-line > > >> > > > > > >> Internet-Drafts > > >> > > > > > >> directories. > > >> > > > > > >> This draft is a work item of the Domain-based Message > > >> > > > > >> > > Authentication, > > >> > > > > >> > > > > > >> Reporting & Conformance WG of the IETF. > > >> > > > > > >> > > >> > > > > > >> Title : Domain-based Message > > > > Authentication, > > > > >> > > > > Reporting, > > >> > > > > > > >> > > > > > >> and Conformance (DMARC) > > >> > > > > > >> > > >> > > > > > >> Authors : Todd M. Herr > > >> > > > > > >> > > >> > > > > > >> John Levine > > >> > > > > > >> > > >> > > > > > >> Filename : draft-ietf-dmarc-dmarcbis-07.txt > > >> > > > > > >> Pages : 62 > > >> > > > > > >> Date : 2022-04-06 > > >> > > > > > >> > > >> > > > > > >> Abstract: > > >> > > > > > >> This document describes the Domain-based Message > > >> > > > > >> > > Authentication, > > >> > > > > >> > > > > > >> Reporting, and Conformance (DMARC) protocol. > > >> > > > > > >> > > >> > > > > > >> DMARC permits the owner of an email author's domain > > > > name to > > > > >> > > enable > > >> > > > > >> > > > > > >> verification of the domain's use, to indicate the > > >> > > > > > >> Domain > > >> > > > > >> > > Owner's > > >> > > > > >> > > > > > >> or > > >> > > > > > >> Public Suffix Operator's message handling preference > > >> > > >> regarding > > >> > > >> > > > > failed > > >> > > > > > > >> > > > > > >> verification, and to request reports about use of the > > >> > > >> domain > > >> > > >> > > name. > > >> > > > > >> > > > > > >> Mail receiving organizations can use this information > > > > when > > > > >> > > > > evaluating > > >> > > > > > > >> > > > > > >> handling choices for incoming mail. > > >> > > > > > >> > > >> > > > > > >> This document obsoletes RFC 7489. > > >> > > > > > >> > > >> > > > > > >> The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis/ > > > > >> > > > > > >> There is also an HTML version available at: > > >> https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-07.html > > >> > > >> > > > > > >> A diff from the previous version is available at: > > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-dmarcbis-07 > > >> > > >> > > > > > >> Internet-Drafts are also available by rsync at > > > > rsync.ietf.org > > > > >> > > > > > >> :internet-drafts > > >> > > > > > >> > > >> > > > > > >> _______________________________________________ > > >> > > > > > >> dmarc mailing list > > >> > > > > > >> dmarc@ietf.org > > >> > > > > > >> https://www.ietf.org/mailman/listinfo/dmarc > > >> > > > > > > > >> > > > > > _______________________________________________ > > >> > > > > > dmarc mailing list > > >> > > > > > dmarc@ietf.org > > >> > > > > > https://www.ietf.org/mailman/listinfo/dmarc > > >> > > > > > > >> > > > > _______________________________________________ > > >> > > > > dmarc mailing list > > >> > > > > dmarc@ietf.org > > >> > > > > https://www.ietf.org/mailman/listinfo/dmarc > > >> > > > > >> > > _______________________________________________ > > >> > > dmarc mailing list > > >> > > dmarc@ietf.org > > >> > > https://www.ietf.org/mailman/listinfo/dmarc > > >> > > >> _______________________________________________ > > >> dmarc mailing list > > >> dmarc@ietf.org > > >> https://www.ietf.org/mailman/listinfo/dmarc > > > > _______________________________________________ > > dmarc mailing list > > dmarc@ietf.org > > https://www.ietf.org/mailman/listinfo/dmarc
- [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbi… internet-drafts
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Robert
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… John Levine
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… John Levine
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Barry Leiba
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Robert
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Robert
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Les Barstow
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Les Barstow
- Re: [dmarc-ietf] cleaning up the ABNF, was I-D Ac… John Levine