IETF Logo Mail Archive

Re: [dmarc-ietf] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)

"Kurt Andersen (b)" <kboth@drkurt.com> Wed, 11 May 2016 20:35 UTC

Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75AB712D0FF for <dmarc@ietfa.amsl.com>; Wed, 11 May 2016 13:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QeD-tooOPgoP for <dmarc@ietfa.amsl.com>; Wed, 11 May 2016 13:35:30 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8863B12D0A3 for <dmarc@ietf.org>; Wed, 11 May 2016 13:35:30 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id f89so69743383ioi.0 for <dmarc@ietf.org>; Wed, 11 May 2016 13:35:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:date:message-id:subject:from:to:cc; bh=BRpc3SFYR3HwzI6IoPgO2pip/7ICORaUqFu7ReA3fnc=; b=SiDrur5t3JreaYgL3KhbhODFzoMu4VPFFiCgh61gBvAIBmgfl77OggA8OkM44J0R/B cUkx4TrCof4a98tmuvZFAo4Le3qC1emwwX16J24t5vq7AcOaCWPD+3YNLHUDg2MB1gfv yRAuENNccMiOBFXEavmCOlMWCa77v7UjICa2M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to:cc; bh=BRpc3SFYR3HwzI6IoPgO2pip/7ICORaUqFu7ReA3fnc=; b=hFy844LkQFgpCHt6AqbHR3sgR5w7xVkUMXYc+HWEOn6exAAJnt3FxGa+EVD2WoP6AV rSVhRmW4HVaCn70374G3YbmWz7ewpRyBkmibWfHj8Y0AiV1+Cni4zx/mRZYFVDzdh28y kGbQaKk8c8bQ7VA9XxczvWV023BptoGmYckeu0yAohJR2fXhReCbK9r70rvAGrZxtOLv FxC8U05IM0kknzpvJD0Sxboqv8yryFYpsj77nt8OPrRTrBws2FokWcgKtxB//5YPN2+4 kT3awXwxqYNREkqQCkqQI1lgtxpaxSdldlgUZJhpVcXNL/aAwZqAMV3DcJnbyDAq2I8s HBjQ==
X-Gm-Message-State: AOPr4FWW4DSElcm+xL/orEWPWLqO/K0KgCCAuus3JHVDaNIKQ8eeOsqGP+H63GkYgYHNXR83ZKcR3t4KkIHF1g==
MIME-Version: 1.0
X-Received: by 10.107.129.75 with SMTP id c72mr5121263iod.102.1462998929728; Wed, 11 May 2016 13:35:29 -0700 (PDT)
Sender: kurta@drkurt.com
Received: by 10.107.20.202 with HTTP; Wed, 11 May 2016 13:35:29 -0700 (PDT)
Date: Wed, 11 May 2016 13:35:29 -0700
X-Google-Sender-Auth: lypXLq3u4x9nG6gGr2NlXqLGpXI
Message-ID: <CABuGu1qZNGfGkPDVRcs5tb_KF=UyAfMG0XKs07tud81iFZF44g@mail.gmail.com>
From: "Kurt Andersen (b)" <kboth@drkurt.com>
To: Alessandro Vesely <vesely@tana.it>
Content-Type: multipart/alternative; boundary="001a113f99b0838ca4053296fbf9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/ByipOMmI04tJpzMdCdSdspKB93U>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>
Subject: Re: [dmarc-ietf] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2016 20:35:33 -0000

On Wed, May 11, 2016 at 11:40 AM, Alessandro Vesely <vesely@tana.it> wrote:

> On Wed 11/May/2016 19:09:45 +0200 Kurt Andersen (b) wrote:
> >
> > What would an AS[0] assertion provide that would not be already asserted
> by
> > the originator's DKIM-Signature?
>
> Nothing, except that the originator's DKIM-Signature is broken after MLM
> processing.  In that respect, ARC-Seal is similar to weak signatures.
>
> > If AS[1] is untrustworthy (using the term advisedly), but AS[0] still
> > verifies, then presumably the original DKIM-Signature would also still
> > verify and ARC-based information is not needed to have a pass for the
> DMARC
> > evaluation.
>
> If the body was altered the original DKIM-Signature is broken.  If AS(0) is
> good --which is possible since it didn't sign the body-- and rfc5322.from
> matches the AS(0) signer, can we then bypass DMARC validation?  To address
> Brandon's concern, high value targets should never produce an AS(0) in the
> first place.
>

AS[0] will not be "good" in the way you propose because nearly all of the
transformations that will break DKIM will also break the AMS
(ARC-Message-Signature) and, per
https://tools.ietf.org/html/draft-andersen-arc-04#section-5.1.1.5 bullet 3,
AMS must pass for the overall ARC set to be considered valid.

I'd like to respectfully suggest that "bypassing DMARC validation" is
pretty far out of scope for what we've intended with ARC.

--Kurt

v2.23.0 | Report a Bug | By Email