Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Bron Gondwana <brong@fastmailteam.com> Thu, 17 August 2017 00:47 UTC

Message-Id: <1502930858.4042926.1075890568.5069945B@webmail.messagingengine.com>
From: Bron Gondwana <brong@fastmailteam.com>
To: dmarc@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_150293085840429260"
In-Reply-To: <CAD2i3WN_bmDgmQBw3pnyu7vWJJM2Kzwgru87VhK=NA_H91B+og@mail.gmail.com>
Date: Thu, 17 Aug 2017 10:47:38 +1000
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <166070f0-4ba1-70da-1f73-885b4a7f7640@gmail.com> <1502497178.4103451.1070917304.23DD466D@webmail.messagingengine.com> <598F9484.7020700@isdg.net> <CABuGu1p=oLfLRkuoaDHoz3Cv3_FrURdsFPzkac7jNzBpqBmiSg@mail.gmail.com> <599484FB.9050908@isdg.net> <1502929303.4038704.1075868960.5D80A788@webmail.messagingengine.com> <CAD2i3WN_bmDgmQBw3pnyu7vWJJM2Kzwgru87VhK=NA_H91B+og@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/DbPCvMotwrYVrdnjP95MqR7YRik>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Precedence: list

On Thu, 17 Aug 2017, at 10:34, Seth Blank wrote:
> On Wed, Aug 16, 2017 at 5:21 PM, Bron Gondwana
> <brong@fastmailteam.com> wrote:>> The only way you could even hope (as a mailing list) to avoid
>> rewriting the sender is for every site that currently has DMARC
>> p=reject to change that to a new policy which explicitly means "only
>> reject if no ARC chain" - otherwise you can't stop rewriting sender
>> until you know that every receiver on your list is ARC-aware.> 
> I don't understand your point.

If you are a mailing list and you receive a message from a domain with
DMARC p=reject, you can't send that message on to the members of your
list without rewriting the sender.
> The only way DKIM works is if enough receivers validate it.
> 
> The only way adding elliptic curve to DKIM works is if enough
> receivers validate it.> 
> The only way a DMARC policy works is if enough receivers validate it.> 
> ARC is the explicit solution to mailing list breakage with DMARC.
> But, as with all other IETF RFCs, only works if enough receivers
> validate it.> 
> Our job is to make sure ARC accomplishes its goals under the DMARC
> charter, and demonstrate value to receivers that it's worthwhile to
> implement.> 
> There will always be a ramp up and implementation phase, that is a
> feature, not a bug, and not a reason to say "it won't work."
While there exists A SINGLE SITE which is ARC-unaware and DMARC p=reject
aware, you can't use ARC on a DMARC p=reject domain without rewriting
the sender.  Otherwise that site will bounce the email.
You still have to rewrite the sender until there is either full adoption
or sufficient adoption that you just don't care about the stragglers.
ARC doesn't solve that unless every receiver is either ARC-aware or DMARC-
unaware.  Hence the suggestion that I think Hector is making - to define
a new policy p=rejectnonarc or something, which means that sites which
are ARC-unaware accept rather than reject.
Bron.


--
  Bron Gondwana, CEO, FastMail Pty Ltd
  brong@fastmailteam.com

[dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos