IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Seth Blank <seth@sethblank.com> Mon, 30 July 2018 18:16 UTC

Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36AAD1311EB for <dmarc@ietfa.amsl.com>; Mon, 30 Jul 2018 11:16:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4LMAhyut2bN for <dmarc@ietfa.amsl.com>; Mon, 30 Jul 2018 11:15:57 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52358130E96 for <dmarc@ietf.org>; Mon, 30 Jul 2018 11:10:36 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id d189-v6so22955516oib.6 for <dmarc@ietf.org>; Mon, 30 Jul 2018 11:10:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ryefvDV0qrmn6UE3NeYL0cVl4vNxckpxkNb0BpN7/XQ=; b=SSCTznwpARoGcKnjpCW9FzHzHB3o09HZm5jUX9xD/Knie0PaAEtXLEqku/Cx9Ju7wB 1O+qo8GqdZrJNLhH2V8HxnJCGWBlfPWyHLLa18sWXfTPw2LgAVN76iWMNlw2y3Mwtei3 2zqopZTgJwTpwhGKa9mwOjvZWty+3oCtFywLCSQU+//85CoOJInJ6/uzdHtR37pwZ1yO SQ+XbNGLh5pMQepxu5zSZtgrlBKd3u+35N2iz+pJDhk8S7WFInyjiWHBgv1fzhfDOKLh Et9ALxiW6DeI36Vz369CdduKF3fD46QKR9gs0tuMmQNLMrMlWMJTCmNwBTIuObpbf/C0 b0Ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ryefvDV0qrmn6UE3NeYL0cVl4vNxckpxkNb0BpN7/XQ=; b=VJ5plVQfu0k0fuITKDcqdrTGoxM9k7aeuEDMWoogBmeKRImcdcSb9dY9bmH+ssjWCr Nj596Ryewc7HodWRaYEcLQz2NDtGmGTtUwU73xzCGlFHvy4LhuzX1ymkfrfgVSksBtxk f2Hfage9iJ0YxT/45h/4SKhq5+zYMSxB2f404ObKp4SQ+Hi5AzLUG35jODUW5h2S1plQ j7RskNa+lyuJsfBz5H29sfwHDW1wcWnljREs0w5B7CwCJFGl/VfbsIv2fMQFDCsu7lVD XMmAHVaBYLwKZx/ATe9CkDp44WFKma/F2av6s++d4Y1uObUeaaNCe88hiGAj2JAsScx0 HHyg==
X-Gm-Message-State: AOUpUlFfBfIlTeIGGQ9F35NDYdIdxtqrO/t29WKW+cEGQaLbghxcnCWw GISbtAKZCeOmvX8femLbjZ6TB0Ci1nqqx+dFMHHoFSc6v/A=
X-Google-Smtp-Source: AAOMgpdL94cKkZbRMSnS+m+gJcrpfK1xxpDq65GnyhHYteQPu9i2j0Cx0gfURDBPtB81br+mQQBoGNq5oJaC8uaNRY0=
X-Received: by 2002:aca:cdc2:: with SMTP id d185-v6mr5595011oig.350.1532974235232; Mon, 30 Jul 2018 11:10:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:2646:0:0:0:0:0 with HTTP; Mon, 30 Jul 2018 11:10:14 -0700 (PDT)
In-Reply-To: <1532905189.2879805.1456751232.5F2CDCE4@webmail.messagingengine.com>
References: <CAD2i3WMMJPaZYonS-qcz8pwOKYmS2Xe+8WBZPuAqjiGoYePzSg@mail.gmail.com> <CAL0qLwapyX3U=0OqQWzx+dDELn3W0v=N_HyzDnSw49oWQ+SE5Q@mail.gmail.com> <CAD2i3WN90JSS8pzgRxrbokuKmhZaLUrimYRWqkZwzVDBxTczng@mail.gmail.com> <CAL0qLwZ_uPh5iPkS7MKzDp3x=dAgn-hmsEunccDc3Hj2bsphpQ@mail.gmail.com> <CAD2i3WM99Yy6Y=BQE4dC=Ffm7J32My160Xdm2oxXC50Au9tXoA@mail.gmail.com> <1532745551.208119.1455489824.75DFC005@webmail.messagingengine.com> <CAD2i3WOHjUwi3J=xsLca5_4DJL=S+jaReGRC1fBQH5wsfWxOVg@mail.gmail.com> <1532905189.2879805.1456751232.5F2CDCE4@webmail.messagingengine.com>
From: Seth Blank <seth@sethblank.com>
Date: Mon, 30 Jul 2018 11:10:14 -0700
Message-ID: <CAD2i3WNBdq9sC+2yRFUh=9ZpQH66kOdLfp8DjGcMjpKrWxF1Uw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bdc35a05723b60be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Eb_Ueu24wdubnZxnmjyDRINYGUs>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 18:16:09 -0000

On Sun, Jul 29, 2018 at 3:59 PM, Bron Gondwana <brong@fastmailteam.com>
wrote:
>
> I'm not sure what you mean by "the veracity of the header field data".
> Can you give an example of a cv=fail where there's useful information still
> trustworthy in the message, because I don't see it.  To use the "chain of
> custody" analogy, if you have a bag of evidence and it's been unsupervised
> in the hands of an unknown party, the contents have no evidentiary value
> any more.
>
> There's two types of fail - fail on AMS, which could just be a
> modification by somebody, and a fail on an AS, which means there's
> definitely either buggy software or somebody screwing with the chain.
>
> But even a single AMS fail means that an unknown intermediary could have
> changed every single header that's covered by the AMS.  There's no way to
> know what they changed.  Ditto the body.  It could be a totally different
> message and there's no way to know because the chain of evidence is broken.
>
> So again - all that you can know when you see a broken AMS is that
> somebody got their hands on a message which had followed the existing chain.
>

There are two premises to keep in mind:

1) For the first chunk of ARC's life, there will be a significant amount of
ARC breakage due to intermediaries who do not properly or yet implement
ARC. Some of the data ARC collects may in isolating these intermediaries
and helping them properly adopt ARC.

2) we don't know what data is valuable yet, and would rather collect extra
data than throw out potentially useful data (Section 11.3.3)

Given these, it is worthwhile to capture the chain information even in
failing states (i.e. cv=fail should sign greedily), especially when you
consider the three major failure scenarios:

1) A good actor improperly Sealing

ALL the data in the Chain is valuable, including the breakage, because it
isolates the issue and allows that improper Sealer to get feedback and fix
their systems. Realistically, there will be a lot of work done here, as
intermediaries deploying ARC for the first time may get it wrong.

2) A good actor not Sealing

Again, ALL the data in the Chain is valuable, as it would isolate where the
breaking intermediary is and allow outreach. This will probably be the most
prevalent ARC failure we see in the wild in the near term - mailing lists
that do not yet Seal.

3) A bad actor modifying the chain

Sure, the Chain is garbage. But if all the AS's validate, then the bad
actor's been forced down two paths: either a) they are forced to extend or
replay a valid chain, or b) they must create a garbage chain using only
domains they have DNS control over. If the AS's don't need to validate,
then there are numerous malicious paths an attacker can take to modify the
chain in subtle ways.

v2.23.0 | Report a Bug | By Email