IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Seth Blank <seth@sethblank.com> Tue, 31 July 2018 00:20 UTC

Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61652130EFC for <dmarc@ietfa.amsl.com>; Mon, 30 Jul 2018 17:20:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id USr74U__KSy8 for <dmarc@ietfa.amsl.com>; Mon, 30 Jul 2018 17:20:32 -0700 (PDT)
Received: from mail-oi0-x22f.google.com (mail-oi0-x22f.google.com [IPv6:2607:f8b0:4003:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91093130E11 for <dmarc@ietf.org>; Mon, 30 Jul 2018 17:20:32 -0700 (PDT)
Received: by mail-oi0-x22f.google.com with SMTP id n21-v6so24717421oig.3 for <dmarc@ietf.org>; Mon, 30 Jul 2018 17:20:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zQcWcx8Wnr7VGcsQCLpUXs52X7KlmIzZ+F0DZGKoWs4=; b=d7pEDumVoiDdolLlSe3YyYyNq+UXe74hPRBptrpgXJVbAare0p448ofmwtYRBAwXzZ E5AdDYeBOAW3Ddg3zECV6mC2+kECQeMONV0X6Yza55+WzWwPXPuXHBhJLNrGHHEVBzbT 0yVFKuGbGjcslcx7rWQPqnOUK6DHKfPzK4tap3ldvPsGJp1zeizW0ov2tntb0BihSsn+ lOqZCQ5Dc/ONoXKWuQSlhCu1E/T2oWzLwLhPTALsQRJa9TNdhQzs6uN4FLOrhKVJSeRS 2XIhARmx9V8kKYLQj12CjpBy47q7C/Gml/2m/EYSYpamcEFLa9KByzQESPoygEaVcqn7 8dYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zQcWcx8Wnr7VGcsQCLpUXs52X7KlmIzZ+F0DZGKoWs4=; b=CGIQ5ZNL9JJeV3+qF4LyMoNsIzzfCPQTtYq1VlRxkyKs4WxQv1gazviHdDt+Vkmble GR3mHtGq+o0ZJyM5Tfz/RxQ9NeaUkvGkv8DQAK8fpGxCNv+fRSNnzVEziJGinMPczs5a QUtjcpTfkAGILRtyhzLlP+BS86oBlukyJHUu0KDQ5I4gPTanZ/lqI+GrQdK9U//VgICG nSbsBOv49dGcVpUpkosa4miHQADw/Z5PYTtsBSeAIenS/TZHHaub8HnQd3vSSvITQsBN xROg3l6YDqnTVQCzeYpcUxS+Cm7aGHTFtXv4Cf1d5R5vQSeMggT80eamOsG/79xS3Ydq p/Fw==
X-Gm-Message-State: AOUpUlGpLhgxm1JLqxB9BYGEh+BXpKfleFld3h4ODrTDupd2qqVtFLj/ QYrE92BBrZHnfQZqrztz3eLSyxWxipNauZGfrAkL7XIf
X-Google-Smtp-Source: AAOMgpeZ1flQcXx/ws15vavASdGMFbKRMTesz1xBDhoZIq78twLyPqG/2NotxDfaxpZcuCKh7HhR+PX6zMMkcvHZ+Ac=
X-Received: by 2002:aca:d088:: with SMTP id j8-v6mr20792627oiy.276.1532996431614; Mon, 30 Jul 2018 17:20:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:2646:0:0:0:0:0 with HTTP; Mon, 30 Jul 2018 17:20:11 -0700 (PDT)
In-Reply-To: <20180730221726.713CE200316625@ary.qy>
References: <CAD2i3WNSe+of7U8fdTnmUeU3sthUbpEVgdYHT9J6BgLxoeOL3w@mail.gmail.com> <20180730221726.713CE200316625@ary.qy>
From: Seth Blank <seth@sethblank.com>
Date: Mon, 30 Jul 2018 17:20:11 -0700
Message-ID: <CAD2i3WMvCugRm4KZeLx3PFb6f_pKR3rs4mnH2FZO4_X7ZA7GHA@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bfe0d80572408b52"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/FYINSqPvt3ha57WXKjclI3UzKVM>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jul 2018 00:20:34 -0000

On Mon, Jul 30, 2018 at 3:17 PM, John Levine <johnl@taugh.com> wrote:

> I think it's fine to sign and hope for the best, but how is a
> validator supposed to tell the difference?  Perhaps we need something
> like cv=restart.
>

So that's where this specific thread started if you roll back to the very
first message.

The working group considered cv=invalid last year, but there was strong
consensus was against it. The guidance for Sealing cv=invalid Chains
somehow made it into this draft applied to all cv=fail Chains. All Chains
should be Sealed in the same fashion (your AS covers the ARC Set you've
added and all previous ARC Sets), unless the Chain is invalid in which case
you only Seal your own ARC Set.

We could add a comment about cv=invalid into Experimental Considerations.
If not being able to tell the cases apart creates issues, it can absolutely
be added once we are considering the standardization of ARC.

v2.23.0 | Report a Bug | By Email