IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

"Kurt Andersen (b)" <kboth@drkurt.com> Wed, 15 August 2018 05:28 UTC

Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA884130E43 for <dmarc@ietfa.amsl.com>; Tue, 14 Aug 2018 22:28:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsZl0GyBCSQx for <dmarc@ietfa.amsl.com>; Tue, 14 Aug 2018 22:28:40 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D6B8130DDD for <dmarc@ietf.org>; Tue, 14 Aug 2018 22:28:40 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id p10-v6so103000ljg.2 for <dmarc@ietf.org>; Tue, 14 Aug 2018 22:28:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=iqs+kiVOc+1u9peDadC4pfMC+SkJnfVPRC2KTsoT5SI=; b=b1xBS24P33XkSZs7Ib34hQL2JwCrHqDPrVy4F0WfAZBETfoOokwRwIfGYUVfhEmwOt ju69a5HTytM6JjQJCvkhzR76yA4Ni0s2rsfp348OjGkQ+87oM51Bl7pmHQrkhNXeeZnY +fvRR6GGUV9UX4UPkFjtBEeDe7GZDrF2tgSAA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=iqs+kiVOc+1u9peDadC4pfMC+SkJnfVPRC2KTsoT5SI=; b=splrkV2wC7b4V7CrS0vU7ENav0tjs6o6NbU2fUx1+Oo3+4fVXeNzmr/94EBwPxqwKz w1TWwiPIFw9o8vARK0rHmWaJ1wbtgKgqLRD9VgRE2V7OIHuu2HP33MyYj4W/9dwkPq5A dXbu6n++JTLeR2Dhh/ehr58+3TxzYl5JzvyfEh+KYSmOW7o5fORDwsIemJym/Eic+mqy e5XBS9OEfueC7a9csbi9pI68Axy+nHNV12lfJFSBCtslQZrjNxd83pq99LQEBr6GJ3oL LttBEuGDvIqhdup4C4SYW6m4pRZM4akZPi3j+FhpswqFw93GirzwleO+HHwlDnUUOxSj q38w==
X-Gm-Message-State: AOUpUlFBBFZ6FH30snvYQcjB6T5bRGdm+Lr/8ugz76zc0SGM2yEM0peU d+awLmmRoFVVzN1+7on3v+LJYJSw2nyZhoBLmW/Q6Q==
X-Google-Smtp-Source: AA+uWPzIIBWu8IDbR7NMw9OaZBDQg4/3E9fvSL6nwy0tDuXGb1VHsEG9X8B4xVLUhGN3ryZi1CJ5v0/yDXpkeUo0K5o=
X-Received: by 2002:a2e:9c0f:: with SMTP id s15-v6mr808398lji.97.1534310918108; Tue, 14 Aug 2018 22:28:38 -0700 (PDT)
MIME-Version: 1.0
Sender: kurta@drkurt.com
Received: by 2002:a19:5943:0:0:0:0:0 with HTTP; Tue, 14 Aug 2018 22:28:36 -0700 (PDT)
In-Reply-To: <a6eb3ab9-0e0f-f3e5-9dd0-8d9e992595a0@gmail.com>
References: <CAD2i3WNSe+of7U8fdTnmUeU3sthUbpEVgdYHT9J6BgLxoeOL3w@mail.gmail.com> <20180730221726.713CE200316625@ary.qy> <CAD2i3WMvCugRm4KZeLx3PFb6f_pKR3rs4mnH2FZO4_X7ZA7GHA@mail.gmail.com> <alpine.OSX.2.21.1807302025420.60501@ary.qy> <CABa8R6sWSu9Q+mozxzaVGab3PE2zxqVmt4L6FERSLC1oDTh1oA@mail.gmail.com> <alpine.OSX.2.21.1808031352460.29088@ary.qy> <CABa8R6u_09D9BNiq3fXDXjPVfFeZxHtRa0NyLamKyj033xO72A@mail.gmail.com> <CAD2i3WNJdQ95drzue17UdKEb_6qkN7DuB7WdMbORTSjWGgwJZA@mail.gmail.com> <CABa8R6sgtcAHGt10GQ85PvhYvEZfv1K1SqiFLe7ozWeZ5+Y30A@mail.gmail.com> <CABuGu1rmxMWhUQvzf=uyNVYSb1zGCgWtiak5+yPKaXGWPV4XUg@mail.gmail.com> <CAL0qLwbjpMH30hD8xKnAgT6kJ9wmN9hm3gwnRGmiqTOxKLiHDw@mail.gmail.com> <a6eb3ab9-0e0f-f3e5-9dd0-8d9e992595a0@gmail.com>
From: "Kurt Andersen (b)" <kboth@drkurt.com>
Date: Tue, 14 Aug 2018 22:28:36 -0700
X-Google-Sender-Auth: Dw4ReH7htdnzHxW4KSh8Lu0XMUM
Message-ID: <CABuGu1oVG-=5TtfdQffENQkf5+vQ9Fp44L42nsGY1QgUjzYyHA@mail.gmail.com>
To: Dave Crocker <dcrocker@gmail.com>
Cc: "Murray S. Kucherawy" <superuser@gmail.com>, IETF DMARC WG <dmarc@ietf.org>, Brandon Long <blong=40google.com@dmarc.ietf.org>, Seth Blank <seth@sethblank.com>
Content-Type: multipart/alternative; boundary="0000000000003fc6f40573729947"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HNhNxyun0v2kA2Gy9bomm5kcbCM>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2018 05:28:43 -0000

On Sat, Aug 11, 2018 at 2:31 PM, Dave Crocker <dcrocker@gmail.com> wrote:

> On 8/11/2018 2:20 PM, Murray S. Kucherawy wrote:
>
>> Sign one" (I think you mean "seal one") remains ambiguous to me, because
>> as Seth said, once I see "cv=fail", I don't care about anything else.  Now
>> I have a seal nobody cares about, which means the sealer shouldn't be
>> bothered with generating it, irrespective of what gets fed to the hash.
>>
>>
> +1*10**inf.
>
> There has been a persistent desire to find a way to continue to process an
> ARC sequence that is broken, as if that will somehow make it unbroken or,
> at least, /less/ broken.
>
> It won't.
>
> As soon as a broken ARC chain is detected, ARC is -- or at least should be
> -- finished.  ARC-aware not should stop processing ARC for that message.
> Completely stop.
>
> If there is a clear and compelling counter-argument of clear benefit that
> can be achieved, will be achieved, and is desired by receivers, what is it?


Looking at how ARC chains can fail through the lens of the the validation
protocol (
https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-15#section-5.2):

   1.  steps 1-3 are all pre-crypto structural checks.  Most of the
   discussion and concern has been in regard to these sorts of structural
   failures being introduced by broken implementations or mis-behaving MTAs in
   the intermediary stages. Up through version 4, we designated such
   structural failures with a "cv=invalid" flag and A-R(arc)=unknown so that
   no one would waste further time or resources looking at them;
   2. step 4 validates the most recent AMS. If it is broken, then we know
   nothing about the content being conveyed so "cv=fail" + A-R(arc)=fail makes
   sense or we could get more specific with A-R(arc-ams)=fail (not currently a
   defined designation);
   3. step 8 (should be 6 if the sub-items had been properly indented)
   validates the sequence of AS header values. If those do not validate, then
   the integrity of the chain itself is unfounded. We currently also designate
   this with "cv=fail" and A-R(arc)=fail but we could distinguish it from
   failure mode 2 with A-R(arc-as)=fail instead.

The only reason to affix a seal with "cv=fail" on the end of an ARC chain
is to spare all subsequent handlers from having to venture past step 2 in
the validation process. Without that, every intermediary and the final
receiver (at least those which validate ARC) will have to repeat the entire
sequence of validation up to whatever point in the process a failure is
determined. If we want (for some reason that I still don't understand) to
have a broken chain "preserved" for hypothetical forensics, we can't do it
under conditions of malformation because we have no deterministic list of
ARC header fields *to* seal. We could do something defined for failure
cases 2 and 3 and some structural violations, but not for all structural
violations. That's why I remain convinced that what is currently called for
in the spec is the only workable approach.

--Kurt

v2.23.0 | Report a Bug | By Email