[dmarc-ietf] Third party signatures
"Murray S. Kucherawy" <superuser@gmail.com> Tue, 02 May 2023 03:23 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00254C1519AB for <dmarc@ietfa.amsl.com>; Mon, 1 May 2023 20:23:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MARKETING_PARTNERS=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCJui_F8T3LR for <dmarc@ietfa.amsl.com>; Mon, 1 May 2023 20:23:26 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 472FAC1519A9 for <dmarc@ietf.org>; Mon, 1 May 2023 20:23:26 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-9594916df23so103052166b.1 for <dmarc@ietf.org>; Mon, 01 May 2023 20:23:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682997803; x=1685589803; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=BdjWL8CQZCSUAr/ptwyOPZNgohcDQYKIrrAyHwGLjg4=; b=l0OKAlGNfJfOf12IPlO9HwW/W+aYKobVXu0ChjFjyLcttPDoLMwUkmVjGzUmtG4JA8 37gNDOKgbu8J7Kjt3Neo37KJnsEPsYuo1eL1CsZfI12iSGN3jolozsSp3UOCALn1WjA4 OmSDchgtgxPaVgk/pc/NcrNtIY3w/mBupqDFl8WhMQG0HpMiEjE3/YMFVrSQi2MVi09W ZUKjaeAAoeGD5CTAWzzGNwFfXc8VHJgaAjPvI090dkp1BGCUkdo2mNf9LHWZGmL3IqcA VWCo4qSNYYCCvbWRsUi+AEH0+pOwuhUVQuaaizu7PaP5w26dZ9O3p8z5LJoHyC7ZygaM 7j4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682997803; x=1685589803; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=BdjWL8CQZCSUAr/ptwyOPZNgohcDQYKIrrAyHwGLjg4=; b=b4UiPxH/3KzUcgDqi6C3FrpqDULtklUg6DJqIAcdSC9Yxtx+B6C7zsAtb4XaC/xYYM 6PzV9jYwuhb0iv+SelTr9v8P3XD6lWnpEYe4CGuS6WWlR6rJWSz/WFDZrO9+pvaKU/qx R4EYx0QRPFC9qyc5aMie9hUBiGnfx/FCMf3/o9VjjsOrdYgtVq7y93LCH6McFW/iVGfm LcL+15ysFD75Mnq/01C8L4+zA2YR43pH5a9cSlZjwrnffDb2x7k/7q8UQ817TuGEgUN0 pyDadIvv1WQLE0L5LhHpZLSYOWMtPgV3vWlWY0XDa3uoSpjkIm3PuD3YF5y4RbUkHOOl BJJg==
X-Gm-Message-State: AC+VfDx/lwoULQeHlqdv0HRE8wIFXV1hDOHqsd7/GBsSZo/3oOozgfyi m/5txIZYIv3phLvPalXCwwej3gp/x0f0aRzCk9nY1T9ZTNY=
X-Google-Smtp-Source: ACHHUZ6Qxzsv7GvMujw4knoIQf7VFbO/mDK3PfaRZmYkb5ERcV6ks4DMKnru8hCl5VCrjBxW2sbfDb1IVqFJCXAyK0Q=
X-Received: by 2002:a17:906:220c:b0:953:506f:6dfd with SMTP id s12-20020a170906220c00b00953506f6dfdmr980214ejs.5.1682997803305; Mon, 01 May 2023 20:23:23 -0700 (PDT)
MIME-Version: 1.0
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Mon, 01 May 2023 20:23:11 -0700
Message-ID: <CAL0qLwa9DoTCVCOOgrB1NySd2-aE-5wVSGsLNh=8k7xwDLgrTw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000394f6b05faad767b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/BNYOl3Hxy6_Y7NBBRegysWBqMGY>
Subject: [dmarc-ietf] Third party signatures
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2023 03:23:28 -0000
Some thoughts about the third party signature discussion that happened over the last couple of weeks while I was away: I wrote ATPS as an experiment in 2012. At the time we were still finishing DKIM (RFC 6376 was only five months earlier), and still talking about whether a third party signing solution was even possible. Doug Otis had a similar "TPA" draft out at the time, but neither of us were getting any traction from the working group. The community was quite dubious that the general idea could work, and TPA had a lot of complexity to it that I thought we could do without (or, at least, if we did need it, we could add it in later). Since I had an open source platform to play with, I decided to implement something, include it in the platform, ship it, and see what happens. I managed to get an AD to sponsor what became RFC 6541 to encourage other implementations to try it. In the years that followed, I think I only ever saw one consumer of that platform, other than me, enable the ATPS feature and try it out. I know of only Hector's code as another implementation. There have been claims that it was not "marketed" well, but I never saw any of this as something in need of marketing. If it's a feature people needed, they would ask for it and turn it on, and we would hear that it solved a problem. It wasn't hard to configure. To me, that doesn't say we did a poor job of "marketing" it, but more that a path to its success wasn't clear in the contexts where we really needed it. There are two main reasons I can see for this, as both an implementer and a consumer of this stuff, when it comes to mailing lists and the DMARC problem: (1) Scale. For mailing lists, ATPS only works if you list in your DNS all other domains that run lists to which your users subscribe. If you have a handful of users, you might be able to work this out. If you have a GMail number of users, you now have giant problems of user support and keeping that list current: "You mean I have to register every domain where I join a list? This sucks!" "I forgot to de-register a domain years ago, sorry. (And now that domain is still an authorized third party.)" "I typed the domain name wrong, how come it doesn't work?" "Why can't you auto-detect all of this?" (2) Security. ATPS doesn't specify what stuff the third party will generate as you. That third party now, practically, has one of your signing keys. Suppose you decide you trust the domain owner; do you trust the list? If you declare through ATPS that you trust ietf.org, and the list server here doesn't validate mail at ingress, then I can send unauthenticated mail through the list as you and it'll be as valid as if you signed it yourself. That might be OK for a marketing partner you're paying, but it's not awesome for free mailing lists. So I don't think it really helps us here, at least not in its current form. Unless I've misunderstood the proposal, amending ATPS to be a per-user thing only trades some of the second problem for more of the first problem. And I think the conditional signatures ideas suffer from the same two issues I identified above. I also have a vague inkling that we shouldn't be talking about ATPS in a DMARC document because that's a layering violation, in the sense that DMARC is built atop DKIM and SPF, and ATPS augments DKIM. We might get away with saying something like "You ought to consider things that make DKIM more list-tolerant", but forcing people to undertake all the DNS and user work that ATPS entails drags a lot of stuff into DMARC that we probably don't want. Personally, I think the DKIM transforms drafts stand a better chance of success. They need implementation and integration with a willing MLM, and some experimental deployments, to see for sure. The notion of DKIM transforms is also a long shot because of the complexity with which lists modify messages. This is not me saying we should pivot to work on these other things, at least not right now. I'm just skeptical that ATPS as defined can solve our problem. -MSK, participating
- [dmarc-ietf] Third party signatures Murray S. Kucherawy
- Re: [dmarc-ietf] Third party signatures Wei Chuang
- Re: [dmarc-ietf] Third party signatures John Levine
- Re: [dmarc-ietf] Third party signatures Murray S. Kucherawy
- Re: [dmarc-ietf] Third party signatures Alessandro Vesely
- Re: [dmarc-ietf] Third party signatures Wei Chuang
- Re: [dmarc-ietf] Third party signatures John R Levine
- Re: [dmarc-ietf] Third party signatures Wei Chuang
- Re: [dmarc-ietf] Third party signatures Hector Santos
- Re: [dmarc-ietf] Third party signatures Alessandro Vesely
- Re: [dmarc-ietf] Third party signatures Douglas Foster