IETF Logo Mail Archive

Re: [dmarc-ietf] Guidance around constructing an AAR when multiple AR headers are present?

Scott Kitterman <sklist@kitterman.com> Tue, 30 May 2017 17:33 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD4C6129BD1 for <dmarc@ietfa.amsl.com>; Tue, 30 May 2017 10:33:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DiMsH0aI2ikk for <dmarc@ietfa.amsl.com>; Tue, 30 May 2017 10:33:28 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D844129ADA for <dmarc@ietf.org>; Tue, 30 May 2017 10:33:28 -0700 (PDT)
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 14422C401F4 for <dmarc@ietf.org>; Tue, 30 May 2017 12:33:27 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1496165607; bh=iCHX7y3IG9cz0f3LFe0Y7LNkl5r4h9GnJI30EpXe4rI=; h=From:To:Subject:Date:In-Reply-To:References:From; b=CJIJl2OhNcA+M/ejzo8l5r0WomZe6nAphprrVocTUegPLdqkr83jna+NznButSgPj fccZ2wqX5kR9jMUzDTZjIEnT+TMW+y041mOHnshigXwDXtRzv1v5UQKlfmKA3piIs4 PV2JY8MaNSHzAWZsbgS/sje4QgDv3zpHzld7quuY=
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Tue, 30 May 2017 13:33:26 -0400
Message-ID: <3073712.x93XL1H1LP@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-119-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <CAOZAAfN2E--bpMOrpFWRs3gAEMWM8ziCd_o9U3sh7+87PNE_Gg@mail.gmail.com>
References: <alpine.OSX.2.21.1705242026410.29429@ary.qy> <4BC08AA6-02AE-4186-B0DB-ED773A35809C@kitterman.com> <CAOZAAfN2E--bpMOrpFWRs3gAEMWM8ziCd_o9U3sh7+87PNE_Gg@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/EE7sYqKC-BNMJpE8kESdxIpn9iM>
Subject: Re: [dmarc-ietf] Guidance around constructing an AAR when multiple AR headers are present?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 May 2017 17:33:30 -0000

On Tuesday, May 30, 2017 10:21:14 AM Seth Blank wrote:
> On Tue, May 30, 2017 at 9:39 AM, Scott Kitterman <sklist@kitterman.com>
> 
> wrote:
> > On Tuesday, May 30, 2017 09:34:49 AM Seth Blank wrote:
> > > Resolved items:
> > > - Handling of multiple incoming AR headers (resolved, but language not
> > > yet in spec)
> > 
> > If this is resolved in favor of not handling multiple AR header fields
> 
> (which
> 
> > IIRC is the plan), then something needs to specify the combination is
> > required.  I think that something needs to be a DMARC document, not ARC,
> > because this is a requirement that's being imposed on all DMARC AR header
> > field providers regardless of if they care about or participate
> > explicitly in DMARC.
> 
> I believe the consensus in this thread was about adding the following
> sentence to the first paragraph of https://tools.ietf.org/html/draft-ietf-> dmarc-arc-protocol-03#section-5.1.3 , with added clarification that we're
> only talking about the current AAR[n]:
> 
> "The AAR should contain all Authentication-Results results from within its
> ADMD, regardless of how many Authentication-Results headers are on the
> message."
> 
> I don't think this needs a separate document, as I think it is very ARC
> specific because it's only about construction of the AAR header and making
> sure the proper information gets into it (since multiple AR headers are a
> reality in the wild, we just need a sentence on how to deal with them).
> 
> Or am I totally misunderstanding your point?
> 
> Seth

It at least, probably more likely, I'm misunderstanding.

At some point in the process, an AAR and ARC signature get created. Later, 
someone else has to validate them.

My point was that when you are on the signing end of this, you have to grovel 
through all the relevant AR header fields since there's nothing telling 
another doing new authentication the should combine them into the same field.  
Seeing sequence of AR fields for SPF, DKIM, and DMARC is quite normal.

I thought that what was being said was that the AAR contstruction process 
could assume a single AR field and that's not correct.  Now that I see it 
explained again, I see I was thinking one step too far back in the process.

So, I think it was my misunderstanding, although if you're doing to use the 
results of the AAR in the verification process and assume it's all in a single 
AAR header field, then I think that should be a MUST, not a SHOULD.

Scott K


> On Sun, May 28, 2017 at 8:53 AM, Scott Kitterman <sklist@kitterman.com>
> 
> wrote:
> > On May 28, 2017 11:27:35 AM EDT, John Levine <johnl@taugh.com> wrote:
> > >In article <8F87F9DE-C87E-406E-BA49-6AEA5DC17283@kitterman.com>,
> > >
> > >>Nothing other than potentially ARC requires multiple AR header fields
> > >
> > >for different authentication types to be combined.  These different
> > >
> > >>verification operations (e.g. SPF, DKIM, and DMARC) are generally
> > >
> > >performed be different processes that add their own AR field.
> > >
> > >Since DMARC needs the results of SPF and DKIM, how does that work?
> > >Does DMARC look at the A-R that the other two created or is there a
> > >side channel?  It occurs to me that a DMARC process has everything
> > >needed to make a header that combines all three.
> > 
> > snip
> > 
> > At least for OpenDMARC, if it's not doing it's own SPF check (which seems
> > odd to me because it's done after DATA, but it works), it will look at
> > multiple AR fields for both SPF and DKIM results.
> > 
> > Scott K
> > 
> > _______________________________________________
> > dmarc mailing list
> > dmarc@ietf.org
> > https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email