IETF Logo Mail Archive

Re: [dmarc-ietf] Updated mandatory tag/conditional signature draft

"Murray S. Kucherawy" <superuser@gmail.com> Mon, 13 April 2015 18:21 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A93FC1AD0AE for <dmarc@ietfa.amsl.com>; Mon, 13 Apr 2015 11:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level:
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVaBqrPgNGjH for <dmarc@ietfa.amsl.com>; Mon, 13 Apr 2015 11:21:25 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E7821A1A0F for <dmarc@ietf.org>; Mon, 13 Apr 2015 11:21:24 -0700 (PDT)
Received: by wiun10 with SMTP id n10so77038713wiu.1 for <dmarc@ietf.org>; Mon, 13 Apr 2015 11:21:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=K6Vdi2PpBUMaphu0PGnn5jpbEIhmf/n1WxH436WG0Nc=; b=w7RKRXmwY+WHmEDcWLRsg2rhDbE18Ag3jL94vuLFtMUbpDUWG00ndd4bejC/kGq3fZ ByPbvlPLuuwtUsl9rzAuWTJZQD27mwm/TYtQvdgBRX2Y3ZX1BabuNS2rHUV0akhV/rfp mkNyxtPi3FSaLcwv0tXFTd+59kcqaT6dtdnfc0HS+6CfNPjzUoz1d24UkoQoHdG59Wc7 S4y/XEeuImbzOwpzGTlJgn+w5ZDndVRlmXjZ7Um0MQg/iwk2T1/bN15MDwqxgYWEf6h7 kI1inanEBLHPjvfXivrhqoaZbkMp23IOiC4186j0wVleQEROXC2V6NBK3YmnB7jAXOsq oWJw==
MIME-Version: 1.0
X-Received: by 10.180.80.105 with SMTP id q9mr4922535wix.52.1428949283309; Mon, 13 Apr 2015 11:21:23 -0700 (PDT)
Received: by 10.27.92.17 with HTTP; Mon, 13 Apr 2015 11:21:23 -0700 (PDT)
In-Reply-To: <878udwcvda.fsf@uwakimon.sk.tsukuba.ac.jp>
References: <20150410170856.730.qmail@ary.lan> <1646939.LNu9R6Ga10@kitterma-e6430> <87d238d92k.fsf@uwakimon.sk.tsukuba.ac.jp> <552B5060.3000808@gmail.com> <878udwcvda.fsf@uwakimon.sk.tsukuba.ac.jp>
Date: Mon, 13 Apr 2015 11:21:23 -0700
Message-ID: <CAL0qLwbv_wucVx_xq8M=CxxKHFA7UjmKVaaznaoqkYs8jDYKrg@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: "Stephen J. Turnbull" <turnbull@sk.tsukuba.ac.jp>
Content-Type: multipart/alternative; boundary="f46d04428e3e6f0c4d05139f2e0e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/Ez5cY8vSaT64Njlni6jFMV1USjs>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>, Douglas Otis <doug.mtview@gmail.com>
Subject: Re: [dmarc-ietf] Updated mandatory tag/conditional signature draft
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2015 18:21:26 -0000

On Mon, Apr 13, 2015 at 12:58 AM, Stephen J. Turnbull <
turnbull@sk.tsukuba.ac.jp> wrote:

> Douglas Otis writes:
>
>  > If the DMARC domain fails to step up, then a reasonable fallback
>  > could require the display of the Sender header offering the needed
>  > alignment.
>
> I don't understand this.  We already see that most professional
> spammers exhibit From alignment on much of their traffic.  Sender
> alignment is just as easy to implement, even if we could expect MUAs
> to conform to the "required display of Sender field".  Users do not
> understand the Sender field as far as I can tell.
>

To the extent comprehensible, TPA is meant to allow author A to tell
receiver B that mail that has C in (for example) the List-ID field should
be treated as though it came from A.  However, I concur that it means an
impostor can simply do what the TPA record says and thereby succeed; few of
the properties TPA identifies are authenticated in any way.  It might be
helpful to get alignment working through paths that invalidate SPF or DKIM,
but compared to the fact that it basically advertises how to get a "pass"
in an invisible way, it's more scary to me than not.  Now, if that isn't
the case, then I suggest the document falls short of explaining how this is
not an attack vector.

Also, Doug insists that this is not registration, but I don't know how he
can claim this since it requires a DNS entry for every {A, C} pair that
exists which must then be queried by every B that might receive mail from
C.  Unless I'm not understanding use of the term, that's exactly how I
believe we've been using "registration" lately, and the argument on the
table is that any registration scheme is basically a non-starter for
operators for which the cardinality of AxC is or could be large.

As I've pointed out before, ATPS, DSAP, and all other earlier proposals
that required a registration step have also been non-starters.  I'm not
picking on TPA here; I'm saying this entire family of solutions is probably
not the best use of our time, and I suggest there's empirical evidence to
support that claim.

-MSK

v2.23.0 | Report a Bug | By Email