Re: [dmarc-ietf] Fwd: I-D Action: draft-ietf-dmarc-psd-10.txt

"Chudow, Eric B CIV NSA DSAW (USA)" <eric.b.chudow.civ@mail.mil> Sun, 21 February 2021 16:49 UTC

Return-Path: <eric.b.chudow.civ@mail.mil>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF993A0C70 for <dmarc@ietfa.amsl.com>; Sun, 21 Feb 2021 08:49:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.667
X-Spam-Level:
X-Spam-Status: No, score=-2.667 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mail.mil
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNam87nrdVPV for <dmarc@ietfa.amsl.com>; Sun, 21 Feb 2021 08:49:45 -0800 (PST)
Received: from UPDC19PA20.eemsg.mail.mil (UPDC19PA20.eemsg.mail.mil [214.24.27.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14BB33A0C6F for <dmarc@ietf.org>; Sun, 21 Feb 2021 08:49:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.mil; i=@mail.mil; q=dns/txt; s=EEMSG2018v1a; t=1613926185; x=1645462185; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=r7qjRHv+2MfozIeS6ucmLV6An249kmKrVUnNk87O9Hc=; b=jpRGXX1leHNA+Bspp0dwDdoSoqwEhlJW9gYTZadGKeeKHpg5iO6WxA3v 5EaJ8/lxwJaaSre5uEA0RgrQAHWTga12sPzuhJFRAJJpJ08MmXUpl1DkC BT9Jf/HOnASjHgbQdxOJTK5dU41k5G3ak4OG6uv8NfDYqF+OpkglQxR3D BsJzwtPH2uqC690C6d6ba84Li3roTbERPwa73kLisc/lQJxFpfvr0A8MH lUNURRerGj1y/r8ssx450AtadxqxS8DaUsq9NCHTc0/YstoDsbu+kruI2 6SkytquWJPUDBwufA0EQA4zrfJY22fDoQDFG3PjPIgi1BvWuq0d4GAmBV Q==;
X-EEMSG-check-017: 181979386|UPDC19PA20_ESA_OUT02.csd.disa.mil
X-IronPort-AV: E=Sophos;i="5.81,195,1610409600"; d="scan'208";a="181979386"
Received: from edge-mech02.mail.mil ([214.21.130.231]) by UPDC19PA20.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Feb 2021 16:49:41 +0000
Received: from UMECHPAOS.easf.csd.disa.mil (214.21.130.162) by edge-mech02.mail.mil (214.21.130.231) with Microsoft SMTP Server (TLS) id 14.3.498.0; Sun, 21 Feb 2021 16:49:26 +0000
Received: from UMECHPA7D.easf.csd.disa.mil ([169.254.6.57]) by umechpaos.easf.csd.disa.mil ([214.21.130.162]) with mapi id 14.03.0509.000; Sun, 21 Feb 2021 16:49:24 +0000
From: "Chudow, Eric B CIV NSA DSAW (USA)" <eric.b.chudow.civ@mail.mil>
To: 'Douglas Foster' <dougfoster.emailstandards@gmail.com>
CC: "'Murray S. Kucherawy'" <superuser@gmail.com>, 'IETF DMARC WG' <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Fwd: I-D Action: draft-ietf-dmarc-psd-10.txt
Thread-Index: AQHXB5ET6UmKpEsHj0KnyPYuL27pUKpizr6Q
Date: Sun, 21 Feb 2021 16:49:24 +0000
Message-ID: <553D43C8D961C14BB27C614AC48FC03128186461@UMECHPA7D.easf.csd.disa.mil>
References: <161144436332.13490.10651420808048876097@ietfa.amsl.com> <CADyWQ+EhD0nz71dLtUFwb9V_6uuen-k6E5fpvrCg3ZYzfr2JSw@mail.gmail.com> <ba38a9e4-7f43-c747-2d90-f35de22a8399@gmail.com> <CAL0qLwZJaEBrXdE9JOZNOJAgR7iEzfMA86Csi2sNtE5JC7ROUQ@mail.gmail.com> <c5cd9239-b204-255a-48a3-1cdccf18464a@gmail.com> <CAL0qLwYrcg__sewPO+EWfJf-5uoHcnQpFqtw-QoXxngHTJvkAA@mail.gmail.com> <e0a4c5eb-b047-67fe-8d76-e5beb921e5ae@gmail.com> <CAH48ZfyZmBp91WjfnNb0W35m+5wFGBonG+hoe2RCK_3N3xd6Xw@mail.gmail.com>
In-Reply-To: <CAH48ZfyZmBp91WjfnNb0W35m+5wFGBonG+hoe2RCK_3N3xd6Xw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [214.21.44.12]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/CHd9A_0LWsW_N6sSLXUbjxhI-H0>
Subject: Re: [dmarc-ietf] Fwd: I-D Action: draft-ietf-dmarc-psd-10.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Feb 2021 16:49:47 -0000

I think it's getting better, but I wouldn't call them Internet Naming Authorities. Should we just call them higher-level entities? Also, while the biggest help that PSD DMARC would make is for non-existent organizational domains, it can also help with other domains that haven't expressed a DMARC policy, so the abstract shouldn't only discuss unregistered domains.

How about this:
--
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a scalable mechanism by which a mail-originating organization can express policy preferences for validation and disposition of messages which purport to come from owned domains, as well as requesting feedback reporting about those message validation and disposition actions. These features allow the Domain Owner to detect and inhibit domain name abuse.

DMARC is designed for use by individual Domain Owners or organizational Domain Owners for their domains and sub-domains. Consequently, DMARC preferences by higher-level entities that have Organizational Domains below them in the DNS hierarchy cannot be specified for sub-domains in their purview. Those higher-level entities have an interest in detecting and inhibiting domain name abuse for domain names within their section of the DNS tree, and message recipients have an interest in preventing deception by entities using those domain names as well. Since its deployment in 2015, use of DMARC has shown a clear need for the ability to express policy preferences for these domains.

Domains at which higher-level entities accept registrations by multiple organizations or other separate entities are referred to as Public Suffix Domains (PSDs).  This document describes an extension to DMARC to enable DMARC functionality for PSDs. It also addresses implementations that consider a domain on a Public Suffix List to be ineligible for DMARC enforcement.

This document also describes an extension to DMARC to specify separate, often stricter, policy preferences for non-existent sub-domains.
--

Thanks,
-Eric

___________________________________
Eric Chudow
DoD Cybersecurity Mitigations
410-854-5735, eric.b.chudow.civ@mail.mil

From: Douglas Foster <dougfoster.emailstandards@gmail.com> 
Sent: Saturday, February 20, 2021 9:01 AM
To: Dave Crocker <dcrocker@gmail.com>
Cc: Murray S. Kucherawy <superuser@gmail.com>om>; IETF DMARC WG <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] Fwd: I-D Action: draft-ietf-dmarc-psd-10.txt

This wording attempts to address the objections by giving
"registration" a specific context.    I also rewrote some of it for readability.

- -

DMARC (Domain-based Message Authentication, Reporting, and
Conformance) is a scalable mechanism by which a mail-originating
organization can policies and preferences for validation and 
disposition of messages which purport to come from owned domains, 
as well as requesting feedback reporting about those message 
validation and disposition actions.  These features allow the domain 
owner to detect and inhibit domain name abuse.

DMARC is designed for use by domain owners.  Consequently it has no 
applicability for domains that have no owner because the domain has 
never been registered with an Internet Naming Authority.  Those 
authorities have an interest in detecting and inhibiting abuse of the 
name registration process, and message recipients have an interest
in preventing deception by entities using unregistered organization 
domain names.

Domains at which Internet Naming Authorities perform registration are 
referred to as Public  Suffix Domains (PSDs).  This document describes 
an extension to DMARC to enable DMARC functionality for PSDs.

 This document also seeks to address implementations that consider a
 domain on a public Suffix list to be ineligible for DMARC
 enforcement.