IETF Logo Mail Archive

Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion

Dotzero <dotzero@gmail.com> Fri, 31 May 2019 11:47 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C95F11200A1 for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 04:47:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLEq5hrwdniU for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 04:47:29 -0700 (PDT)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D26A120044 for <dmarc@ietf.org>; Fri, 31 May 2019 04:47:29 -0700 (PDT)
Received: by mail-vs1-xe36.google.com with SMTP id n21so722804vsp.12 for <dmarc@ietf.org>; Fri, 31 May 2019 04:47:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=d/xVMBLfdJyzdgbRv+X3McyX+wjKpW3pGZ3d/kly0WA=; b=Lgif8hRzFY+YGgbDpzj56gunTpTF+JiCgdzKwqWwxYiZnpeKUkWfc1eFcXhMpb45NS 5PuOJYCNxllPzSHBZb3ArEiMLHEtYPiL1vFdbnbHVIU7LE8c9vf42HCl2wPSnM+hiAg3 kNsMauLPF1QZckeSPy/B1guCHvQa7t9wytAGyl5ljQ0MIuAdLVlW2lTWjGdpeocmsxsY srreYwhwxq7e/uuLvHeYbKjkxVTCDpxOKVibKZXSI15k3TQWZ59ZwBjQag8J6t2PYu+0 qCTTMlRqJncPMDaXr2Mp8us85Y49h6WFyZLaC2XJdwlD992lHJM/gklgkl2yT3C2ykT4 4sDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=d/xVMBLfdJyzdgbRv+X3McyX+wjKpW3pGZ3d/kly0WA=; b=LpLTXECdfYBcwOf4rqm5gJG2cQQCN8cd5z7MNJuBFVZgDVe7lWPWe7ambo+TlQeURp i+Tq98IO3u0jXVELtsWjf5xPAe0pdofWkrJYZj081wOYil+BMldDPsMJn7LP4lqpRtU6 K1WbWoDjxnzuGc+L3/RZH8ifEOUAThKIizQk6CtDMjsaPAtu7tsKWfmfkd7qMruuc2if i7JoGNONf54vBTgeq2UrRjNuOvZWIaJjoIAyqQsk8EiOeRzu05ZNp7ER83UOuHd7kyUI 7NdYYzCv+OCcVnevTkqJyYZ4ARpKzP++iLVZXEO2Kk81zMi6WgTNhcNTVVEhx1v7C10k 1hzQ==
X-Gm-Message-State: APjAAAVreqdTqvH3V4WFT8Vc+6y/pZB/Hdg1a0GMXiznF2uIYew3CBkE W2zQXJTzXDdMGFGW1HRPnMxVYNFYt8zucXyMMuw=
X-Google-Smtp-Source: APXvYqwVxRVEvXhms+rymhL8nVE+2I4dkpKQd0YAkLdQ8KSQl8rn7sL7rjup5XtsWcTnGq6bDiqv4Jsq8oEic85PPl0=
X-Received: by 2002:a67:c508:: with SMTP id e8mr5022230vsk.18.1559303248530; Fri, 31 May 2019 04:47:28 -0700 (PDT)
MIME-Version: 1.0
References: <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> <20190526144848.08A772014A0BF4@ary.qy> <CAL0qLwbxwLTpgYJN9qBTzi2oN1EMvAYuNoDbw5Rx5W46-WNyLA@mail.gmail.com> <alpine.OSX.2.21.9999.1905301712140.76792@ary.qy> <c559a331d90b49eba5b5f6e35ff4774a@bayviewphysicians.com> <1931a4e4-7112-56ae-24e6-b138466392b4@dcrocker.net> <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
In-Reply-To: <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
From: Dotzero <dotzero@gmail.com>
Date: Fri, 31 May 2019 07:47:15 -0400
Message-ID: <CAJ4XoYd5F6Fte_ibUwWG82vPhiixTWYezCuL3nzahFRc5SJSTg@mail.gmail.com>
To: fosterd@bayviewphysicians.com
Cc: Dave CROCKER <dcrocker@bbiw.net>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000039d086058a2d940f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/I32LrMuXX41dDh5yz1jpCDpkaCY>
Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 11:47:32 -0000

On Fri, May 31, 2019 at 6:59 AM Douglas E. Foster <
fosterd@bayviewphysicians.com> wrote:

> I cannot speak to IETF consensus, since I am new to that process and I
> seem to be an  outlier already.
>

Perhaps the onus is on you to take the time to understand  IETF and it's
processes before demanding changes. Just a thought.

>
> Agency and signatures are well understood legal concepts.   3000 years
> ago, people sealed their letters with a signet ring stamped in warm clay.
>  Signing technologies have changed in that time, but the principle has
> not.   A courier is responsible for keeping the signed and sealed part of a
> message unaltered.   Envelope marks are acceptable.
>
>

Perhaps you should go back and read the history and purpose of DKIM.


> A digital signature is supposed to provide non-repudiation.  If I submit a
> signed message to a list processor, and the list processor voids the
> signature, it has given me verifiable repudiation, the opposite of what
> either sender or receiver want.
>

Non-repudiation is not the purpose of DKIM signing. The purpose was (and
is) to provide a mechanism for mailbox providers to evaluate whether an
email message was authorized by a particular domain.


>
> A closed group on a single server can use whatever rules they choose to
> implement in that community.  For example, a web forum operates on the
> rules of the forum operator.   However, an open group using the email
> infrastructure has to work within the infrastructure it uses.   In the
> email infrastructure, the recipient has to deal with fraud, and any
> recipient accommodation to "harmless" fraud facilitates the people who are
> doing "harmful" fraud to that recipient.
>

You are certainly entitled to your opinion.

>
> There are some obvious use-cases for MTA changes to a message, and we
> would do well to document and address them.
>

Perhaps the you part of "we" should submit an Internet Draft undertaking
the work you want done.

>
> The first that comes to mind is MTA comment fields.
> - A list processor wants to add a comment indicating something about the
> list that sent it.
> - A spam filter wants to add a tag indicating that the message is
> suspicious, but not sufficiently suspicious to be blocked.
>
> IETF would do well to specify a mechanism for MTAs to add information
> which MUAs present to the user, while identifiying that that the
> information came from the MTA rather than the original sender.
>

> Another use-case is related to body sections.   IETF only forwards plain
> text, while most email solutions send messages in HTML+Text.   I assume
> that IETF also drops attachments.   DKIM cannot handle this because it
> hashes the entire body.   A signature system that signed each section
> individually would allow sections to be dropped, with notification to the
> user, without breaking the signatures on the other MIME types.
>
> DKIM was supposed to provide sender authentication when SPF was
> invalidated by forwarding, so DMARC said that the two techniques should be
> evaluated together.   I am realizing that if SPF is invalidated, DKIM is
> probably invalidated as well, so we have no usable sender authentication
> technology.   This may explain why so many products that I have examined
> lack support for DMARC or lack good exception mechanisms for SPF, DKIM, and
> DMARC.
>

Can you please show us the documentation that supports your assertion that
" DKIM was supposed to provide sender authentication when SPF was
invalidated by forwarding"? When I read the DKIM RFC I find nothing to
support your assertion. DKIM was the result of the merging of Internet
Identified Mail (IIM) and Domain Keys (DK) proposals. Quite a few of us
were around at the time it happened. These things happened in parallel to
SPF and not as a "fix" to SPF. Thank you for your creative attempt to
rewrite history.

>
> It seems that email needs something like "DNS Flag Day", where major
> players announce a date after which certain behaviors that will no longer
> be tolerated.   But as others have said, IETF is not that organization, and
> the organization may not exist.
>
>
Thank you for your proposal. To channel a long time participant, I invoke
King Canute. If you believe major players should take a particular action
in unison then perhaps you should be reaching out to those major players.
(Side note to major players, no need to thank me for pointing this out)


> More discouraged than ever,
>

Hope springs eternal.

Michael Hammer

>

v2.23.0 | Report a Bug | By Email