IETF Logo Mail Archive

Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value

Dave Crocker <dcrocker@bbiw.net> Fri, 31 March 2017 02:35 UTC

Return-Path: <dcrocker@bbiw.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27EA2129692 for <dmarc@ietfa.amsl.com>; Thu, 30 Mar 2017 19:35:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=bbiw.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 94lphu53YQFk for <dmarc@ietfa.amsl.com>; Thu, 30 Mar 2017 19:35:23 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EE23127A90 for <dmarc@ietf.org>; Thu, 30 Mar 2017 19:35:23 -0700 (PDT)
Received: from [192.168.0.158] (50-232-11-130-static.hfc.comcastbusiness.net [50.232.11.130]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id v2V2bQ2p005336 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 30 Mar 2017 19:37:26 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=bbiw.net; s=default; t=1490927848; bh=4IETOQqj0WpVH9f4wMCrXoDN4iRt1rCT6Y3DkahiYZw=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=gcqGs4mzcwZ+0ZD0+cLM4rLJ2My3eUkcmV9shcoC8Vi9P4fv5c1AsxtZ/xlI+9OP6 09GuKvFjHIcInPxK4Ils9EM9UnnrmJUrDiJu++s9DLIsRGEljJE6oLrHcmpDDJmXAO DH5MLA0TUrlSeBEEwwePTqQw4AYCBfFzzuKb7bNI=
To: Seth Blank <seth@valimail.com>
References: <CANtLugO_D1Mz_v_341pc5O1mZ7RhOTrFA3+Ob5-onp72+5uRfA@mail.gmail.com> <alpine.OSX.2.20.1703272118210.2533@ary.local> <CAOj=BA0YKHYrkseR=wwgZn0_GNBKfdL7jmHehgBRzxqGKV6C1g@mail.gmail.com> <2978391.eJVbVTHBlo@kitterma-e6430> <CAL0qLwbP4c+09=TNSOsDqKwcp6iw++aGW8jDhARoVwvsghSLvA@mail.gmail.com> <01QCKR5S5OXK0003XB@mauve.mrochek.com> <CAOj=BA3p-XQT=AeR4PHC-udWsn7rOmtR+UQHV0vbVofDKYOH_Q@mail.gmail.com> <01QCKXW9MZ4Q0003XB@mauve.mrochek.com> <1cf7325b-6f77-7cda-e330-025b7ddb0b92@dcrocker.net> <CAOZAAfM_fKf+egqmYQorobPB07kQpi5rP4rcb4Kj3fsLvcoRVw@mail.gmail.com>
Cc: ned+dmarc@mrochek.com, Peter Goldstein <peter@valimail.com>, Scott Kitterman <sklist@kitterman.com>, "dmarc@ietf.org" <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>
From: Dave Crocker <dcrocker@bbiw.net>
Organization: Brandenburg InternetWorking
Message-ID: <2f516997-7c5e-2fad-1aeb-51590383f9c7@bbiw.net>
Date: Thu, 30 Mar 2017 21:35:18 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <CAOZAAfM_fKf+egqmYQorobPB07kQpi5rP4rcb4Kj3fsLvcoRVw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Hnk5Ip84NqjF6C8O8OYHP57JWhc>
Subject: Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Mar 2017 02:35:24 -0000

On 3/30/2017 7:10 PM, Seth Blank wrote:
> Dave, If we were only talking about ARC Signing messages, I'd generally
> agree with the comments on this list.
>
> However, ARC is fundamentally different. It is about a chain of messages


Either you are correct, in which case ARC has been made far too fragile 
to be able to work with any serious degree of reliability at scale,

or you are wrong, in which case the fact of there being a sequence of 
DKIM-ish signatures has the same requirements as for individual 
signatures.

What you have been getting told by a range of folk with quite a lengthy 
history of DKIM and email deployment experience is in line with the latter.

So to the extent that you are sure things really are that fragile, the 
answer is not going to be a test suite or excessively demanding 
algorithms, but a re-thinking of the details, to make the implementation 
and deployment issues simpler.


d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email