IETF Logo Mail Archive

Re: [dmarc-ietf] Next draft concerns

Scott Kitterman <sklist@kitterman.com> Sun, 12 June 2022 20:38 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72ED7C14F723 for <dmarc@ietfa.amsl.com>; Sun, 12 Jun 2022 13:38:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=jsIxqdpb; dkim=pass (2048-bit key) header.d=kitterman.com header.b=ng0OxC1M
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3a6KuvcGO2Ck for <dmarc@ietfa.amsl.com>; Sun, 12 Jun 2022 13:38:22 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9CCC14F718 for <dmarc@ietf.org>; Sun, 12 Jun 2022 13:38:22 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 1695EF80267; Sun, 12 Jun 2022 16:38:18 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1655066297; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=WlMm5tQqHJNUzfUGPJ3IXy2X60n1svt+OgNUHm4oJSk=; b=jsIxqdpbO8URvncohgzHUv3eINdR10rQT7DF0gEsWteKQ/uGJOqbrXTe1FMc1Tmfof8js c0w1xIRHw352gxqAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1655066297; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=WlMm5tQqHJNUzfUGPJ3IXy2X60n1svt+OgNUHm4oJSk=; b=ng0OxC1M1YVWmBgiXN+qF/pOT43ZPuoim+IQzFdeq76OMcLz6Abv9OVDS7oZmfIZVZUF2 5MbGhQyOsVVZihbw9eUN4B7GEyAcQ+EM/aXQ2ReW1//SCMXMTd+nrwQeN1yBMo9z+q8Qh0L xlDIUyZcS6BJtO/GrTlYA8H4v5ds72YCdxmFFG2h1XlUmJG3fPSA5SOSNfs9mpWgYBdqN3O JqO4WxkparTnyo4IEmCN5Na/xQbgQI8Dc4ZZgsc0CO4kJXkpmDKcBINRAcE1N8YhoV/ET91 3sP1B0vhhcLftvtVsJQeKx6Tl4tXearKl/9kK/E+rTcblJzg1VrWSKGoAZbA==
Received: from [127.0.0.1] (mobile-166-175-56-7.mycingular.net [166.175.56.7]) by interserver.kitterman.com (Postfix) with ESMTPSA id 67CACF801F4; Sun, 12 Jun 2022 16:38:17 -0400 (EDT)
Date: Sun, 12 Jun 2022 20:38:15 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <CAH48Zfy7Jq_Xg9_Dx+o8JbaYAUNrQK52mn5GzC953mps67RG+Q@mail.gmail.com>
References: <BL1PR12MB5753CEB436047B152714100FBFA49@BL1PR12MB5753.namprd12.prod.outlook.com> <20220609191051.F2709434C018@ary.qy> <BL1PR12MB57533941A9C6B481C75D9FFABFA79@BL1PR12MB5753.namprd12.prod.outlook.com> <CAH48Zfy7Jq_Xg9_Dx+o8JbaYAUNrQK52mn5GzC953mps67RG+Q@mail.gmail.com>
Message-ID: <523E77F8-0ACE-4459-9F8A-A531D1734040@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HCW3A1fjjSQ3tIsGAU4pgJow6hI>
Subject: Re: [dmarc-ietf] Next draft concerns
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jun 2022 20:38:26 -0000

Doug,

I believe I have asked you before to provide specific examples of current domains with records that will cause a problem if assessed via the DMARCbis approach.  If there's a real problem that needs solving, then surely there are examples of it.  If they're none, then how about moving on.

I think you're misreading the thread.

Let's have an example of a real domain, with a  real DMARC record, that would be negatively impacted by being assessed using the DMARCbis design. I haven't found any I think are problematic, but if you have, I'm all ears?

Scott K

On June 12, 2022 8:08:13 PM UTC, Douglas Foster <dougfoster.emailstandards@gmail.com> wrote:
>Les' question has returned us to the problem of justifying the tree walk.
> We need to document the problems with PSL, but we also need to demonstrate
>that the tree walk solves those problems without creating others.
>
>In most cases, the tree walk and PSL will produce the same results, because
>they will both find the top-most DMARC policy in a structure with neither a
>private registrar nor a PSD policy.   So the justification is really
>limited to those exceptions.
>
>We assume that most PSL errors will cause organization fragmentation,
>because of identifying a private registry for XSS purposes which is not a
>private registry for email purposes.    We also know that the current DNS
>has no information about private registries, so if we apply the tree walk
>to the current DNS, we may sometimes error by landing too high and causing
>inappropriate organization consolidations.
>
>In the case that the tree walk stops lower than the PSL target, the most
>secure solution is to believe the DNS policy.   This can only occur if the
>policy has a DMARCbis token which explicitly says that a policy has the
>Organizational Domain role.
>
>In the case that the tree walk stops higher than the PSL target, which do
>we believe?    To tilt the decision in favor of the tree walk, we need a
>token which indicates that the tree walk did not pass over an undocumented
>private registry.   This will also require a new token on the
>organizational domain, which is not yet defined.   I see these possible
>informational signals:
>- No private registries or organizational boundaries underneath this
>organizational domain.
>- All sub-organizations underneath this organizational domain are also
>documented with organizational domain DMARC policies.
>- A private registry exists underneath this organizational domain and is
>documented with a PSD policy.
>
>This means that for either exception, a new DMARCbis token is required on
>the organizational domain.   Consequently, a domain which has not published
>an applicable DMARCbis token should be evaluated using the PSL, and a
>domain which has published a sufficient set of DMARCbis tokens should be
>evaluated using the Tree Walk.   This approach also satisfies our other
>requirement, which is that the tree walk requires an organizational domain
>policy.
>
>I know this is discouraging, because John's original hope was to avoid
>placing a change requirement on domain owners, but I do not see that it can
>be helped.
>
>Doug Foster
>
>
>On Thu, Jun 9, 2022 at 3:18 PM Les Barstow <lbarstow=
>40proofpoint.com@dmarc.ietf.org> wrote:
>
>> Thank you for the history fill-in, John. That does at least explain why
>> we’re here and not somewhere else.
>>
>>
>>
>> I will respectfully disagree that the “psd” tree walk standard is
>> well-defined based on the remainder of my response – that the use of the
>> “psd” TLA for the tag is unfortunate/misleading and that more specificity
>> is desirable. But having the alternatives eliminated at least gets me to
>> “it should be in this spec”.
>>
>>
>>
>> On Thursday, June 9, 2022, John Levine wrote:
>>
>>
>>
>> It appears that Les Barstow  <lbarstow@proofpoint.com> said:
>>
>> >-=-=-=-=-=-
>>
>> >[Strong opinion follows]
>>
>> >
>>
>> >IMO [from April], determination of a DMARC authority boundary (registrar, PSD+1, private registry (+1), or internal subdomain
>>
>> >boundary) should really be done outside of the DMARC standard altogether – a separate DNS lookup not dependent or centered
>>
>> >around DMARC, and one flexible enough to respond with indications of various levels of authority. It is useful for
>>
>> >decentralizing other queries beyond just DMARC (e.g. determining an appropriate WHOIS TLD for lookup). Unfortunately, here we
>>
>> >are at draft 8 of the new DMARC standard and we have nothing to use as a sidecar mechanism.
>>
>>
>>
>> The DBOUND working group already tried and failed to come up with a
>>
>> general way to publish DNS boundaries, so we're not going back there.
>>
>>
>>
>> >Is there a driving need to have this in the standard NOW?
>>
>>
>>
>> Yes, of course. The point of writing a standard is to tell people what
>>
>> to do to interoperate. The current underspecified fudge which winks at
>>
>> the PSL has well known issues since, among other things, the people
>>
>> who run the PSL have made it quite clear that it's not designed to
>>
>> make DMARC work. It contains plenty of entries which make sense for
>>
>> web cookies but not for DMARC.
>>
>>
>>
>> The tree walk is well specified and doesn't depend on third parties
>>
>> who aren't interested in what we want or need.
>>
>>
>>
>> R's,
>>
>> John
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>

v2.23.0 | Report a Bug | By Email