IETF Logo Mail Archive

Re: [dmarc-ietf] Two basic Issues to address to help complete DMARCbis

Hector Santos <hsantos@isdg.net> Mon, 24 April 2023 04:11 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12409C14CE5D for <dmarc@ietfa.amsl.com>; Sun, 23 Apr 2023 21:11:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="IG58lf9L"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="1QB7QvZO"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTATLXvnENw6 for <dmarc@ietfa.amsl.com>; Sun, 23 Apr 2023 21:11:36 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94157C14CE29 for <dmarc@ietf.org>; Sun, 23 Apr 2023 21:11:36 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=10964; t=1682309495; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Message-Id:Subject: Date:To:Organization:List-ID; bh=zqUhG35aPxZ8Ec20qR2BWWLj+3T4uTH noCJIB/fYjS0=; b=IG58lf9LEbYhRlIzwDd7qFnig1QtpR9LkcXOFK5qfNlRHql 4ojWgZoYGWMGM9o1H1tWTig/YjQ2xWbMmWKYxxEObAorNMBglQYsv99iAH4w03s+ pO9djOAR+iJBTQq+hiEGr5Zmn0CZ0WDf7iD2QbcO+reVRYkf3BtqEzv+hh0E=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Mon, 24 Apr 2023 00:11:35 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 2702277113.1.4720; Mon, 24 Apr 2023 00:11:34 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=10964; t=1682309491; h=Received:Received: From:Message-Id:Subject:Date:To:Organization:List-ID; bh=zqUhG35 aPxZ8Ec20qR2BWWLj+3T4uTHnoCJIB/fYjS0=; b=1QB7QvZOtNfX/xuNMFNFhXN 4j23NPS6IksRYpwcbX7JQy1ChWdOqYPaxDGVxFw9EiPq4HfvU+IIl9Zj0yin7Ij0 hJAP/kQEYmLIuctkWX+W0YSHEqrhNEXqA5eKPxJOHWH1OGuZtdadxLNB6akzS4Yx HXjrUAYU4YtBEl4doRwE=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Mon, 24 Apr 2023 00:11:31 -0400
Received: from smtpclient.apple ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 3148314957.1.11652; Mon, 24 Apr 2023 00:11:30 -0400
From: Hector Santos <hsantos@isdg.net>
Message-Id: <B98BC5C2-CFE3-4C9F-B700-4B8298DDB340@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_114EC207-7880-48D1-A612-0E549704CD6E"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Mon, 24 Apr 2023 00:11:19 -0400
In-Reply-To: <CAJ4XoYdFxA8hvCQRHargBay471UcNCyMC=ff2LoxB=rKxShTog@mail.gmail.com>
Cc: dmarc@ietf.org
To: Dotzero <dotzero@gmail.com>
References: <0abf9711-ca1c-bfcf-afb2-15e16b9de149@tana.it> <20230420153727.DB568C106CE9@ary.qy> <CAJ4XoYeyoOYeXW1QN+yeMbxt4SF7Kn2Xi=FP7VmX4MhKiDi9hQ@mail.gmail.com> <C3D9E708-EDC7-43BC-AE5E-DF4FFAECCC2B@kitterman.com> <7e2ae4c0-6ebf-4539-55b9-e5d85765a024@tana.it> <185759A8-10CD-40F8-89C8-FE774B077F52@kitterman.com> <a31a3a91-1fe1-40b0-ae4c-0e76520e722c@tana.it> <644568C6.4000407@isdg.net> <CAJ4XoYdFxA8hvCQRHargBay471UcNCyMC=ff2LoxB=rKxShTog@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/JjND6vPLOIPxOH1GSS5KK1POw8o>
Subject: Re: [dmarc-ietf] Two basic Issues to address to help complete DMARCbis
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2023 04:11:41 -0000


> On Apr 23, 2023, at 4:17 PM, Dotzero <dotzero@gmail.com> wrote:
> 
> On Sun, Apr 23, 2023 at 1:20 PM Hector Santos <hsantos=40isdg.net@dmarc.ietf.org <mailto:40isdg.net@dmarc.ietf.org>> wrote:
>> 
>> With each year, that "temporary hack" becomes the new normal and it 
>> will be harder to clean up. It is not the right way and I don't  its 
>> too late to reverse.  However, it has been 17 years and DMARCbis is 
>> not finished without some clean up in this area.
> 
> It HAS NOT been 17 years for either DMARC (first published in 2011  and first submitted to IETF as informational in 2015) or DMARCbis. Let's at least use publicly available data points for time frames rather than time frames pulled out of thin air.

Wow.  I’ll apologize for the confusion. Allow me to paraphrase it:

“However, it has been 17 years since the evolution of SSP, DSAP, ADSP, ATPS and now DMARCbis and unfortunately it is not finished without some clean up in this area.”

A little better, I hope.

I see all of the as a DKIM Policy Model and DMARC just happens to be current rendition of the concept.  I have worked with all of them and before that, we did a real security analysis and requirements work.  Not sure if you participated in this early DKIM wg work.

>> 
>> I can understand why DMARCbis's editor does not want to document  
>> rewrite, but imto, can't be ignored anymore.   The details of a 
>> rewrite can be quickly outlined.  To help the RFC process, maybe 
>> DMARCbis could refer to the Functional Specifications of SSP (RFC5016) 
>> Section 5.3, Item 10 which basically reinforces the idea that local 
>> policy ALWAYS prevails and it is quite possible there will be 
>> undesirable tearing down of secured submissions.  One possible 
>> mitigation is to replaced it with a secured rewriter with a p=reject 
>> policy.
> 
> SSP is long gone and failed. Referencing something which failed to gain support many years ago is also not a path to go down. 


I referenced the Functional Specification for SSP (RFC5016), not the SSP itself which was still only in draft form.  https://datatracker.ietf.org/doc/html/draft-allman-dkim-ssp-02

The development and point of RFC4866 and RFC5016 was to help Eric and Jim create SSP and thats when Levine’s ADSP stepped in.  From a software engineering standpoint, the documents provided the security analysis and requirements to make a "SSP” protocol.  It does not change the original analysis or requirements. 

Analysis of Threats Motivating DomainKeys Identified Mail (DKIM)
https://datatracker.ietf.org/doc/html/rfc4686

Requirements for a DomainKeys Identified Mail (DKIM) Signing Practices Protocol
https://datatracker.ietf.org/doc/html/rfc5016

Please review these, especially Section 5.3 of RFC5016.  I was sort of helping DMARCbis.  It can refer that provision to maybe justify the rewrite.  After all, it was a game changer in all this when it was added.

—
HLS

v2.23.0 | Report a Bug | By Email