IETF Logo Mail Archive

Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value

Peter Goldstein <peter@valimail.com> Tue, 28 March 2017 02:54 UTC

Return-Path: <peter@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCF171204DA for <dmarc@ietfa.amsl.com>; Mon, 27 Mar 2017 19:54:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zrqo_yk2sh0o for <dmarc@ietfa.amsl.com>; Mon, 27 Mar 2017 19:54:46 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CAD1128D3E for <dmarc@ietf.org>; Mon, 27 Mar 2017 19:54:44 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id r45so53904111qte.3 for <dmarc@ietf.org>; Mon, 27 Mar 2017 19:54:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bPnFd0+hDcief9RIJmDAVlY+4+y91EYN/8Ki1C4SbnQ=; b=UUDsZPFp0HsfCHebzRXlRvfQcxdCVWGPcR1FAfVikAGDnST8W3MMQXEazq4EKCPz1s 3GIa9VcZtLjoOePvnfU6h9eRhFBDAzSxZrUS5xjcETwXNHSM5qmvUAe6/UVEc2yY5b8l spykDjSYuzDYMHRmLNopCQnc0aW86/q5f8wIEn+RpYcaPZEdClGhKZEriF7cY1Q2/KZl AHradroNUHp8aEW+gMtAoZHLv0Bjh7DHU2BFAKelNq3/6o0YdgrdbSjouugS2oSVZ9FB t8mkZhWe7tVc7hCGGFv8L6PEHPbEkvwmwxCorC9ZyICtupqlY6fvAvkpbB8SM23IGrdb nStw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bPnFd0+hDcief9RIJmDAVlY+4+y91EYN/8Ki1C4SbnQ=; b=YJz6EvOOGDBKHqzD4a9frysGYYPNfIdMJs6c1u9ICH/tl5hz98Sz9gEhvqf9nNVhOF TpyxCqdX1a/isreSm2A60uoNv1LjzFyedCQWK7To0+CM3DF+ZsX2RIgbrI7hE7p3zNsN qP2YEQ+/xyRCRJLjOFHK9xm21oTGcOJPDz9L0PfXRh262UB4Gk2QisvPSrKAiuNECj8U Gc5hlCZP7nlQlXSPlHpsjyFdWqPHXMiR3UGyv5KM/ibY/VyI6RZLZUNCEj58gN4jaQr0 41bCO0/+in/KMyBlIQkSZG6CvYT+EGRoPTfxJiMBJH+ORvnvuglzFTezLkIhhKbNKvBH 3c+w==
X-Gm-Message-State: AFeK/H2wg5tzL0qZut7f9g/BsapROJ/yqAlimcdJEKjdejqWq9j6YbfkiKJboR2Y1AEYvjohWsnnW/PaJOXeZA==
X-Received: by 10.200.52.135 with SMTP id w7mr24328756qtb.136.1490669684112; Mon, 27 Mar 2017 19:54:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.141.207 with HTTP; Mon, 27 Mar 2017 19:54:43 -0700 (PDT)
In-Reply-To: <alpine.OSX.2.20.1703272118210.2533@ary.local>
References: <CANtLugO_D1Mz_v_341pc5O1mZ7RhOTrFA3+Ob5-onp72+5uRfA@mail.gmail.com> <20170324212304.85346.qmail@ary.lan> <CANtLugOK4tXqA3ztYwchYsc8+t6KhyNj6mvgEu2wzvwKm_rK7A@mail.gmail.com> <alpine.OSX.2.20.1703262130330.4114@ary.local> <CAOj=BA1ruma6dp1CQht8sgYQ-xqGGE2a=R7=+DkXmaft8td2hw@mail.gmail.com> <CABa8R6v5pcA2jXbt0mO2Ej553UmgwCbVANx9HT-rqi27Pmq_TQ@mail.gmail.com> <CAOj=BA338rBMyQgSSz=usNi7s9L1ShO28nMSPmhYqzZ1oOKGzA@mail.gmail.com> <CABa8R6umhETEP-B2--EwjZueE10FgAz+L_1rxUw1-Q9QP+rtKg@mail.gmail.com> <CAOj=BA20K15MBvGqUuaoDOibV3FZ9MWgH67Qqnd9_EX-uQtEhQ@mail.gmail.com> <alpine.OSX.2.20.1703272118210.2533@ary.local>
From: Peter Goldstein <peter@valimail.com>
Date: Mon, 27 Mar 2017 19:54:43 -0700
Message-ID: <CAOj=BA0YKHYrkseR=wwgZn0_GNBKfdL7jmHehgBRzxqGKV6C1g@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: dmarc <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="001a1141a706ffd506054bc194db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HJ-2XlXZ210v1FCOj0vbvwci2X4>
Subject: Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 02:54:49 -0000

John,

I'm familiar with the definition of the FWS in the ABNF, as well as the
generic definition ABNF for message headers.  I'm also aware of the
challenges with trying to normalize such headers, and how that can impact
email authentication - breaking forwarded DKIM signatures and such.  But
none of that is actually relevant here - we are not interested in arbitrary
messages.

We are interested in creating a set of valid input messages and ensuring
that these messages are signed in a consistent, reliable way by any valid
ARC implementation.  This is an extremely narrow case - so yes, I do think
the above is basically all it would take to make such signature headers
identical.  Perhaps I'll be disappointed, but based on the sample messages
I have on hand from existing implementations, that seems unlikely.

As for the hypothetical developers who will be adapting DKIM libraries to
do ARC signing, we've been talking about them since M3AAWG in October
2015.  So far they haven't materialized.  Honestly, it's not even clear to
me that there are that many DKIM libraries out there to adapt.

Instead we've seen ~5 implementations (Google, AOL, Dkimpy, OpenARC,
MailerQ), with potential support for implementations in 1-2 additional
languages (e.g. Perl) probably driven by one or more of the implementers of
the existing implementations.  It should be relatively easy to coordinate
such a change across the small number of existing implementations.

Best,

Peter




On Mon, Mar 27, 2017 at 7:21 PM, John R Levine <johnl@taugh.com> wrote:

> I think tightening up some currently allowed ambiguity in the ARC
>> specification is a much simpler and much better solution.  I'm not sure
>> why
>> there's such concern about canonicalizing the format and ordering of some
>> tag/value pairs.
>>
>
> If you think that's all it would take to make signature headers perfectly
> identical, you will be deeeply disappointed.  (Take a look at FWS in the
> ABNF and all of the other generic ABNF for message headers.)
>
> I think what we've been saying is that the SMTP mail ecosystem has never
> tried to make stuff bit-for-bit reproducible, and even if you could hammer
> on the spec to make super strict rules for one particular header, it's
> unlikely that the people who are adapting their DKIM code would pay
> attention.
>
> R's,
> John
>



-- 


[image: logo for sig file.png]

Bringing Trust to Email

Peter Goldstein | CTO & Co-Founder

peter@valimail.com
+1.415.793.5783

v2.23.0 | Report a Bug | By Email