IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

Dave Crocker <dhc@dcrocker.net> Sun, 16 August 2020 15:31 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16F083A0CFB for <dmarc@ietfa.amsl.com>; Sun, 16 Aug 2020 08:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.849
X-Spam-Level:
X-Spam-Status: No, score=-2.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.949, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id evAkMliBqtci for <dmarc@ietfa.amsl.com>; Sun, 16 Aug 2020 08:31:57 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E77613A0CFA for <dmarc@ietf.org>; Sun, 16 Aug 2020 08:31:55 -0700 (PDT)
Received: from [192.168.1.67] (108-226-162-63.lightspeed.sntcca.sbcglobal.net [108.226.162.63]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id 07GFYd8I011480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 16 Aug 2020 08:34:39 -0700
To: Alessandro Vesely <vesely@tana.it>
Cc: John Levine <johnl@taugh.com>, IETF DMARC WG <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Dotzero <dotzero@gmail.com>
References: <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL=g@mail.gmail.com> <20200814164237.313071E971DB@ary.local> <CAJ4XoYeqj_5mpZu1PZP4rNfrWRyC5gC-2dfK7oX9xQHiR24QeA@mail.gmail.com> <085c6a5f-5451-ae8c-4873-133673ba1754@tana.it> <CAL0qLwaVUi9QtV4zcCwncuy4N3YPwsGZPzFfd1q19io79UG2VQ@mail.gmail.com> <c1844590-4b12-9763-21c5-6ac5b730321b@tana.it> <6358f3da-806b-f4eb-b9a0-8ee8ce4121d7@dcrocker.net> <4e549ca6-6047-6ff2-325c-fe8d7247e157@tana.it>
Reply-To: dcrocker@bbiw.net
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
Message-ID: <c972e0af-b589-1780-47b3-8cb2a2024ec2@dcrocker.net>
Date: Sun, 16 Aug 2020 08:31:47 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <4e549ca6-6047-6ff2-325c-fe8d7247e157@tana.it>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/AA1jJDpirLazy1UhVmpe02Qxyb8>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Aug 2020 15:31:59 -0000

On 8/16/2020 1:23 AM, Alessandro Vesely wrote:
> On Sat 15/Aug/2020 20:12:18 +0200 Dave Crocker wrote:> On 8/15/2020 3:32 
> AM, Alessandro Vesely wrote:
> 
>>> If X pretends to be Y,
>>
>>
>> If I put my gmail address into the from field, there is no pretending, 
>> no matter what platform I am using.
> 
> 
> That conflicts with the coarse-grained authentication strategy, 
> established at the FTC Email Authentication Summit in November 2004, as 

1. I was making a semantic point, not a technical or technical policy one.

2. There was nothing 'established' at that event.  There were 
interesting discussions, but that's all.

3. I'm not finding the reference in any of Doug's notes that your are 
relying on.  Please be specific about it.


> Doug recalled.  Your gmail address needs to be authenticated by gmail. 

Good grief, no.  There is no system rule to that effect.  DMARC created 
that, but no policy before it was in place, nevermind accepted.


> Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and 
> whitelisted as yet another domain (songbird.com) can hardly be 
> verified.  There is no "pretending", since it's you, but it is not 
> formally distinguishable from spoof, is it?

Whether valid and invalid uses can be distinguished does not alter the 
fact that valid uses are valid.


>> This continuing practice of characterizing valid use as if it were 
>> spoofing or pretending has been a major impediment to constructive 
>> discussion in the industry.
> 
> A system that is able to recognize all your domains and affiliations in 
> order to authenticate messages does cost several orders of magnitude 
> more than a simple "mechanical" verifier.  That way, requiring too much 
> flexibility is a push toward oligopoly.

I have no idea what you are referring it.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email