Re: [dmarc-ietf] A policy for direct mail flows only, was ARC questions

[Alessandro Vesely <vesely@tana.it>]

On Wed 02/Dec/2020 03:14:46 +0100 Brandon Long wrote:
> On Tue, Dec 1, 2020 at 2:37 AM Alessandro Vesely <vesely@tana.it> wrote:
>> On Tue 01/Dec/2020 05:56:46 +0100 Brandon Long wrote:
>>> On Thu, Nov 26, 2020 at 12:59 AM Alessandro Vesely <vesely@tana.it> wrote:
>>>> On 25/11/2020 20:16, Michael Thomas wrote:
>>>>> On 11/25/20 11:11 AM, Alessandro Vesely wrote:
>>>>>> On 25/11/2020 19:24, Jesse Thompson wrote:
>>>>>>> On 11/25/20 11:30 AM, Alessandro Vesely wrote:
>>>>>>>> Without resorting to ARC, it is still possible to validate author
>>>>>>>> domain's signatures directly if the MLM just adds a subject tag
>>>>>>>> and a footer>>>>>
>>>>>>> I agree that ARC isn't really needed to do this (trust the last hop
>>>>>>> from the MLM and determine the original authenticity from the MLM's
>>>>>>> perspective)>>>>
>>>>>> I didn't mean to trust the MLM.  I meant remove the subject tag and
>>>>>> the footer, then the original DKIM signature verifies.  See:
>>>>>> https://datatracker.ietf.org/doc/draft-vesely-dmarc-mlm-transform/
>>>>>
>>>>> When I was at Cisco, with l= and some subject line heuristics I could get
>>>>> probably like 90+% verification rate across the entire company, a company that
>>>>> uses external mailing lists a lot. Definitely not 100% though.
>>>>
>>>>
>>>> DKIM itself is not 100%.  You always have lines beginning with "From " or
>>>> occasional autoconversions.
>>>>
>>>> l= doesn't cover multipart/alternative nor Content-Transfer-Encoding:
>>>> base64. In addition, the DKIM spec discourages its usage and suggests
>>>> that "Assessors might wish to ignore signatures that use the tag.">>
>>>
>>> Right, some of the other dkim-light or diff concepts we discussed would be
>>> better than using l=
>>>
>>> We again got hung up on the 100% solution, though... something that handled
>>> subject-prefix and footer in a transport agnostic way might have worked.
>>
>> I'm not clear about the meaning of "100%".  If an author domain puts no
>> DKIM signatures, there is no way to verify them.  Hence, some compliance of
>> the author domain has to be required.
>>
>> The same holds for conditional signatures.
>>
>> The same holds for MLM transformations.
>>
> 
> Yes, by 100% I meant of messages that were already authenticated and 
> therefore should continue to be authenticated through the relay.


That's ARC.  If a message lacks DKIM and was SPF-authenticated, there's no way 
it can continue to be authenticated through a relay.

OTOH, mailing lists and relays are two different beasts.  For one thing, it is 
very unusual for a mailing list to send to another mailing list.  Thus, we can 
safely specify a non-stackable authentication method.


> Some of the conditional signatures of the "include a diff you can remove to 
> validate the original" attempt seemed to fail on the theory that there were
> too many things that couldn't be handled.  Ie, if your relay removes
> attachments, including them back in a diff kind of breaks the whole point of
> that... but how common is that (even less now with Yahoo Groups gone, but
> possibly still some av/malware relays still do this).

Not to mention anonymous lists, which remove the OP identity completely.  They 
are DMARC-proof by themselves, with no additional twists.  My draft restricts 
footers to text/plain MIME type, to overcome the objection to l=.  Hence, if a 
list appends HTML parts (e.g. to use <hr>), it doesn't qualify as DMARC-proof.


> I think that one issue we've had is that DMARC is very mechanical and 
> straight-forward, so anything that's fuzzy in response seems more
> complicated.

It may seem fuzzy, but it's not.  The ietf list (ietf@ietf.org), for example, 
adds no subject tag and no footer.  DKIM signatures should remain valid, then. 
  Yet, if posters sign Sender:, they fail.  I wouldn't call that fuzziness.  It 
is the very nature of the spec.  If you sign Received:, no relay can hold your 
signature over.


Best
Ale
--