IETF Logo Mail Archive

Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Hector Santos <hsantos@isdg.net> Wed, 09 August 2017 00:16 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60A5113219D for <dmarc@ietfa.amsl.com>; Tue, 8 Aug 2017 17:16:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=kTDYSzQH; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=iLDHYxjz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8VI7y2r3gfr9 for <dmarc@ietfa.amsl.com>; Tue, 8 Aug 2017 17:16:37 -0700 (PDT)
Received: from ntbbs.winserver.com (dkim.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 1AB901320CC for <dmarc@ietf.org>; Tue, 8 Aug 2017 17:16:36 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4865; t=1502237792; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=rJ/h1tFuR7PI63TUNGieXXJZtdI=; b=kTDYSzQHgbrezvq8HoTYC6HOwNfkm5277L7uQQTO4KBsHl6V1+/JZUJqkR0Pip viome+gPg/2ZTABwCyCIjIX/bC9U2//+HjBC7uP2I2ddyMHiieTHcuXI8Gn9neW+ I1DODj/GRbMVLwSb5cliiKxwxxUT3ILWOPpfV/JnPmqOY=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Tue, 08 Aug 2017 20:16:32 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2301655279.1.1096; Tue, 08 Aug 2017 20:16:31 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4865; t=1502237768; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=Lzd/8O8 H8mAlMH2NkjPTfxzdLoPfsSvqUvjyHV5c+YE=; b=iLDHYxjziDd/lk0rC78P/IU Ie89VgZQdBpPQ7lr7gnDX7l8zI5MauUQLMeK8KiAe1EUarxkmYzIe9kLmg1BnrDE 5TQWz1ja+2Z8fmP1HSYECQYdGW7V7h3iZD7XmHDNlwNXI7LQ2XEtJYi5VjNknKaf qVsKmooOY4SDnuK2dQqU=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Tue, 08 Aug 2017 20:16:08 -0400
Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2844165408.9.270892; Tue, 08 Aug 2017 20:16:07 -0400
Message-ID: <598A545E.3080708@isdg.net>
Date: Tue, 08 Aug 2017 20:16:30 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CAD2i3WOCFHf7C4qjpCcGCFKJKsZC2+Wty1arkQgTU_jtrS6MuQ@mail.gmail.com> <1502165454.4116080.1066378520.2314FE46@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com>
In-Reply-To: <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/CyDjDhzYIck_G2XWNh5IVBJnttw>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 00:16:40 -0000

On 8/8/2017 9:59 AM, Bron Gondwana wrote:
> On Tue, 8 Aug 2017, at 23:36, Kurt Andersen (b) wrote:
>>
>> Is your concern that the last hop (or any other) can essentially do
>> a wholesale replacement of the message contents and that there is no
>> way to distinguish that from a semantically meaningless footer tweak?
>>
>> I'm not sure that I understand your assertion that you can forge an
>> AS any more than you could forge a DKIM signature.
>
> The whole point of verifying the chain of AS all the way back to i=1
> is that you can tell that the message went through those servers, in
> that order.
>
> But it's bogus, because AS doesn't sign anything except itself and
> some AMS and AAR.  Once AMS doesn't validate any more (any change at
> all) then you can't really tell that the message passed through there,
> just the _a_ message passed through there.
>
> So I could take an existing message that had passed through Google and
> create a brand new message and pass it off as if it had passed through
> Google before passing through my server on its way to you.
>
> In which case - the AS is meaningless.  It claims something which is
> only true if everyone plays by the rules.  But if everyone plays by
> the rules, then it's excessive.  You could just check the previous AAR
> and know that the previous site had validated the hop before it, and
> so on.  It's crypto that doesn't add anything of value.
>
> It's not actively damaging (other than the advice to do excessive DNS
> lookups), but it's also not doing anything meaningful, and it's adding
> something forgeable that looks like it means something.
>

I think we are falling back a Policy Model where we need to know what 
the all important originating Author domain desires. What is the 
expected here for mail processing by the domain?

I thought the main reason, purpose, the "PayOff" for ARC,  was to help 
deal with indirect mail breakage when a DMARC p=reject policy is set 
and more importantly, SMTP receivers with embedded DMARC support have 
begun honoring with hard 55x rejects or ACCEPT/DISCARD/SPAM local 
policy logic.

It is the same problem ADSP had, but it wasn't fully realized, only a 
proof of concept (demo) was shown (here in the list, by me). Receivers 
had yet to implement or turn on the ADSP DISCARD switch but we 
envisioned the indirect mail issue would begin when they did.  So it 
was foreseeable Mailing List members would begin to get unsubscribed 
due to perpetual erroneous receiver rejections.  DMARC proved it when 
the idea was implemented and honored and the screaming began.

ARC is trying to automate something without the help of the 
originating domain.  If ARC is suppose to help save the "message" and 
the author domain from using a p=reject on a mailing list or indirect 
mail travel,  then it leverage the DNS lookup it is already doing.

I think we have made this all too complex by resisting a policy 
concept that helps with all this main processing.  ADSP and DMARC had 
to same issue, so when was ADSP abandoned and  replaced with the 
"Super ADSP" version called DMARC,  the only difference was the 
reporting stuff, which is really not helping.

Anyway, food for thought, a DMARC Tag Extension called ArcSeal.  I'm 
just winging it, so the ARC cogs can consider, or not:

        ArcSeal=All       ; All ARC seals must be valid start to finish.

        ArcSeal=Last      ; Only the last sender/ARC signer is 
necessary (because
                            of the chain of trust).

I suppose there is a "Hops" count concept in there, but the ArcSeal 
tag does not exist, the the message is in an indeterminate state. If 
it exist, thats added value to the Domain declaring to the world what 
it expects and allows, including desirable hard rejection.

The main thing is the automation.  It help with an incentive to 
encourage implementors sitting on the fence. It can help by relaxing 
the rejection of the DMARC p=reject policy using ARC. Isn't that a big 
help?

Personally, I really don't want to waste any more years working on 
this ARC complex proposal and really, this DKIM project since the 
early 2000s.  Folks, we are approaching 15 years on this stuff!!!!  It 
has been a battle of the Trust Model vs Policy Model.  We almost had 
it VBR for TRUST and for Policy with ADSP (proposed standard) plus 
ATPS (experimental) as a possible solution to the indirect mail 
problem.  But abandoned and replaced with DMARC (Informational) which 
has the same problem ADSP was abandoned far.

Sorry for repeating the same thing, but DMARC is the same problem and 
whey we are here, no?

So if DMARC is it, can we please fix it and have it work with ARC to 
help resolve the indirect mail problem?

If not, than other than marketing bullshit, is there any "mail" 
benefit and convincing reason why ARC should be implemented?

Thanks.

-- 
HLS

v2.23.0 | Report a Bug | By Email