Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
Dotzero <dotzero@gmail.com> Tue, 21 July 2020 19:32 UTC
Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA043A0841 for <dmarc@ietfa.amsl.com>; Tue, 21 Jul 2020 12:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BhtffvZUDjsh for <dmarc@ietfa.amsl.com>; Tue, 21 Jul 2020 12:32:22 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 878CC3A0840 for <dmarc@ietf.org>; Tue, 21 Jul 2020 12:32:22 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id 184so4017841wmb.0 for <dmarc@ietf.org>; Tue, 21 Jul 2020 12:32:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=cfjIiLl1B2w8HO8nRHZZXu+iM6eOUiHKOl9u5odMh/g=; b=Gn2q6gMLNNyhIs8JSJrerb/aO63RJQEkMnsz8QHYOTCoAtwjeOZNTp00K+Dg9/cjDx uSziwtv8UB4gXC3X//1NRE5MED8doXPd3+mMhkeK2ZX4VSKBToEqRipKPjQJy3141wt1 9rTcAAoUxKvhQLg4QyCoWsPxLng6IStYD8FH1fqdOKxQVKtIBDwO+w1+V/n//MkE1l3V hJ3015KCqEJHtsLDa/TWoZ7LnIEJaTDbAn12j34T4FtX1uEVhpGWNh7j3MH+yYJuZPhi xPGdpR+ircGX95cpTrcmQlsuwG0+lPiqyitit6nfNHrdQ9nLnOLNa83KZyFvYIFmBfeH vBCg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=cfjIiLl1B2w8HO8nRHZZXu+iM6eOUiHKOl9u5odMh/g=; b=BQ4FuIXsePvrOFQGHGX4lUAmdy72NfGdWSz2bREjZqSpAnTYmtSFz1oxPUukjV94aE AhNhETUnELYanSdIMBr8NbgJ+enX9MOxtvHS+CsPY16kNbmBcmMjkEIV9W7STf2PyJNM 62UtHXM+tl6ocVsT2JS9zSxc7bilsQ2zefHxYYTDYlakQAUacocysC/PjnrnnCY+ntss gH2XBF4dk1AOqtokjd3AWdS9rEyoTmHPIYLETakZgHLALR+jCaoj/VfoycQKoc0LJGk2 Ol6W7KUPk+W6fcMQWKCPOFrDK/HKf4zSFq/bJKHja32+wy4maFZRFlytx2KMWVMR/8du K6QQ==
X-Gm-Message-State: AOAM533WwlZeLHfQvtjzbySzFk9JfFa3FoM3eG0vvoXcmVGWzC+U2Mw0 5qemSbIRVMf3pNgpCxoYR4OkI6Hagc9ZoqfKaq9HmCpq
X-Google-Smtp-Source: ABdhPJwxyIk5qqHDn0bI7KwNwi+AoZJrLVO67rndXGCmxBiwG+0Fxd+mjrfBXiMFIaBrZa7MZmD8hlAurXKdqiJF3Uk=
X-Received: by 2002:a7b:c841:: with SMTP id c1mr5732042wml.25.1595359940587; Tue, 21 Jul 2020 12:32:20 -0700 (PDT)
MIME-Version: 1.0
References: <bf5b68c74a3c487ca8a07a0a27061e47@com> <87zh7ur069.fsf@orion.amorsen.dk> <3829fac4748a48d0b752403450843bd5@bayviewphysicians.com> <c9353a06-ab31-c397-449e-7d36afbf655d@wisc.edu> <c2ad22cd-8b35-733f-bc4c-839e2c4b3e98@dcrocker.net> <CAJ4XoYf23gu4m7Zru2iq9SV-hYNCx6KFg4J7oTDpLpTcXFk7Rg@mail.gmail.com> <f2cd4931-9f61-2031-00bc-af9c460c15a3@bbiw.net>
In-Reply-To: <f2cd4931-9f61-2031-00bc-af9c460c15a3@bbiw.net>
From: Dotzero <dotzero@gmail.com>
Date: Tue, 21 Jul 2020 15:32:08 -0400
Message-ID: <CAJ4XoYf=XhaHKZpUjwoBJnLMwq_0LajTBWjJ01qjCaP7365E=w@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008c350205aaf8ae9a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/At_6OjH4MQnieoFI1gZriYNUcxA>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 19:32:24 -0000
On Tue, Jul 21, 2020 at 2:06 PM Dave Crocker <dcrocker@bbiw.net> wrote: > On 7/21/2020 10:58 AM, Dotzero wrote: > > > > > > On Tue, Jul 21, 2020 at 11:52 AM Dave Crocker <dhc@dcrocker.net > > <mailto:dhc@dcrocker.net>> wrote: > > > > The mail is not spoofed. Consider the definition of the word. Then > > consider that the MLM is authorized by the user with the address in > the > > original From field. > > > > This is an interesting statement and raises a question.. Does a user > > have the authority to authorize (some) use of a domain in a manner > > contravening the express statement (p=reject) of the domain > > owner/administrator? I'm going to have to say no. > > The user is authorized to use that address. The problem here is not > 'spoofing' but rather an internal personnel problem, with the user not > adhering to the policies of the organization that authorized the user. > > For this case, DMARC externalizes that internal personnel problem. > > But it does not fit the definition of "spoofing". > > Please note that I did noy use either the word "spoof" or "spoofing". You wrote "MLM is authorized by the user". Someone without authority cannot authorize. In this case the user externalized the problem, not DMARC. > > > > > Also then consider that the existing MLM behavior has existed and > been > > useful for roughly 45 years. > > > > Slavery existed for a long time (still does in some places) and was > > useful (for some) for a long time. Things change and evolve. > > > > The problem, here, is DMARC's imposing a change in email semantics. > > > > > > If that is the problem, why did you participate in the original DMARC > > effort? The issue was clear even back then. > > > The original DMARC effort was, in fact, to detect actual cases of > spoofing, namely unauthorized use of a domain name by outside actors. > > Different problem. > Actually, part of the effort was to enable Sending domains to identify their own mail that was being sent without aligned DKIM signing or from places not authorized through SPF - in other words, not properly authorized but legitimate, hence feedback loops. Michael Hammer
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- [dmarc-ietf] Response to a claim in draft-crocker… Kurt Andersen (IETF)
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker on behalf of Kurt Andersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] no from addresses nowhere, Respo… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Doug Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- [dmarc-ietf] DMARC marketing Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] DMARC marketing Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker