Re: [dmarc-ietf] Question regarding RFC 8617

Brandon Long <blong@google.com> Wed, 06 November 2019 17:43 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 699EF12011C for <dmarc@ietfa.amsl.com>; Wed, 6 Nov 2019 09:43:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17
X-Spam-Level:
X-Spam-Status: No, score=-17 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLACK=0.5, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GrjQ9W-b2tCP for <dmarc@ietfa.amsl.com>; Wed, 6 Nov 2019 09:43:38 -0800 (PST)
Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9A49120220 for <dmarc@ietf.org>; Wed, 6 Nov 2019 09:43:37 -0800 (PST)
Received: by mail-vs1-xe2c.google.com with SMTP id 190so12008534vss.8 for <dmarc@ietf.org>; Wed, 06 Nov 2019 09:43:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pOYk1jkjo+ZxQtpmqFIIFKAcPCb60pFg8KNUqryXseQ=; b=GRs+PM0xDb3wJFR83NT8qt0wwIt+zBUpyyDE1pwOeeeiJzLIpD92KVOj/MulsCs7Rr nFH+tcAVTR2HnJzliUKnbXDLqVUhoYY2LRxqNpmenPLuMYMO38QL5nKth98kcTlWGloN AnPecr/o+mtdJpUCumN9Co7sWgbZyWz1AceE/dp0ws05ljA0Ke8vmNz41rBa1Qfa0mxs H+RGHjesNKag+fbtMEjD82uXSeBNzrSI/q3vsO1shqBJLbVBTmC2H8+owrBxAP1gdUv9 x9gD8/8VJIQ2jJyXE5TcojblxbDvnSbAdwVFnKBbIxB3+ruVqDUO4gX5uTbI6srkRD2C nZbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pOYk1jkjo+ZxQtpmqFIIFKAcPCb60pFg8KNUqryXseQ=; b=ElPKzwsKpyDvRfwTU50f5XZBa/zckFb2axOdf7ZpUp8CicjGy4doC4Lrl8ZnYT309W felu0T8gqQ4QqPr68O4RKAAWUsUQNWXtwVKDyTEug9JKI9ErgUsaTrpzQir8GPZkgx0a ajpBrq1pZ1+VMJELgiWK3I24sEnfLu3p7GxoDT/rPLELOlvB4ovFC49TxByIOU9VaxWE ze4FxLy96P3z3Vm/GaIxj94K9IT/FRhmuaL4N20oIlj+de6dFNWEVyNCFQU7K0YQ7dYB k3vLoqeRuADa2wQQFe3MNox4kuB/1Zxo3VY8R2jTiRMBOQQvbynFO3Fz1M7LuUpBkBD8 11rg==
X-Gm-Message-State: APjAAAVdDT9XCaw+423y/Glk93NE3ZN4fYD8hLK22829xCg4/nUtZkIc aCznxrb271Nyyq5AX1GLLvblGQA06f8Zn7KyxFO4
X-Google-Smtp-Source: APXvYqxYhYYcPEN8elor74jnerhxomEkzKoiJ3BWEdMWMgqA0F3TxCm2pyAAotQM+9DlNn0tzNFnlq6xOEzcZ6613FU=
X-Received: by 2002:a67:304a:: with SMTP id w71mr1871043vsw.92.1573062216132; Wed, 06 Nov 2019 09:43:36 -0800 (PST)
MIME-Version: 1.0
References: <BN7PR05MB416368F6F754F6B6E0095648FA7F0@BN7PR05MB4163.namprd05.prod.outlook.com> <CABuGu1rsiK0VWXCZXqhLvbO0bULBPZD+JuQ9LqwzMr05MSnLpQ@mail.gmail.com>
In-Reply-To: <CABuGu1rsiK0VWXCZXqhLvbO0bULBPZD+JuQ9LqwzMr05MSnLpQ@mail.gmail.com>
From: Brandon Long <blong@google.com>
Date: Wed, 6 Nov 2019 09:43:22 -0800
Message-ID: <CABa8R6vVRT_y_RyL6+vgi9-e4-ySbLUuQewD8kRwSv9U+8w0YQ@mail.gmail.com>
To: "Kurt Andersen (b)" <kboth@drkurt.com>
Cc: "Weist, Bill" <William.Weist@iqvia.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/related; boundary="0000000000009b05070596b116c3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/JsjQRq4yQzf28gSXnfWK6Cqksks>
Subject: Re: [dmarc-ietf] Question regarding RFC 8617
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 17:43:39 -0000

What's more, the point of including Subject and other mutable headers is
the same as it is for DKIM, those are the headers which are important to
the receiver, so they should be validated.

As Kurt points out, the point of ARC is to acknowledge these changes hop to
hop, and the Arc Seal proves who did the change, the question becomes do
you believe
the person who changed it wasn't malicious.

Brandon

On Wed, Nov 6, 2019 at 7:37 AM Kurt Andersen (b) <kboth@drkurt.com>; wrote:

> The choice of which headers are included in the signed set is strictly up
> to the domain administrators who implement the signing practices. Also, the
> AMS is only relevant for the next receiver, it is not intended to be
> validated by hops >1 step away from the domain which adds that instance so
> I don't see how mutability would matter.
>
> --Kurt Andersen
>
> On Wed, Nov 6, 2019 at 7:30 AM Weist, Bill <William.Weist@iqvia.com>;
> wrote:
>
>> DOI:  10.17487/RFC8617
>>
>>
>>
>> The inclusion of the address headers in the signature, and possibly the
>> Subject, is an issue:
>>
>>
>>
>> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
>> microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
>> bh=;
>>
>>
>>
>> If a downstream server needs to modify either of these two values, the
>> signature check fails.
>>
>>
>>
>> It is my understanding that the Authenticated Received Check signature is
>> to validate the chain of possession.  As such, in my opinion, the signature
>> should only include immutable references.
>>
>>
>>
>> In my opinion, there is value in NOT requiring headers to be stripped by
>> downstream servers, thus maintaining the custody chain from origination to
>> destination.
>>
>>
>>
>> Thank you for your time and attention,
>>
>>
>>
>> *William M. Weist*
>>
>> *Enterprise Architect I – Global Messaging – Mobile and Presence*
>>
>> CIO Team – End User Computing
>>
>> *[image: IQVIA logo_96dpi_100pxheight]*
>>
>> Learn more <http://www.iqvia.com/> about IQVIA™
>>
>>
>>
>> 400 Campus Drive
>>
>> Collegeville, PA 19426
>>
>> USA
>>
>>
>>
>> O: +1 610 244 2646 <(610)%20244-2646> | M: +1 484 904 8244
>> <(484)%20904-8244>
>>
>>
>>
>>
>> ________________________________________
>> *IMPORTANT* - PLEASE READ: This electronic message, including its
>> attachments, is CONFIDENTIAL and may contain PROPRIETARY or LEGALLY
>> PRIVILEGED or PROTECTED information and is intended for the authorized
>> recipient of the sender. If you are not the intended recipient, you are
>> hereby notified that any use, disclosure, copying, or distribution of this
>> message or any of the information included in it is unauthorized and
>> strictly prohibited. If you have received this message in error, please
>> immediately notify the sender by reply e-mail and permanently delete this
>> message and its attachments, along with any copies thereof, from all
>> locations received (e.g., computer, mobile device, etc.). To the extent
>> permitted by law, we may monitor electronic communications for the purposes
>> of ensuring compliance with our legal and regulatory obligations and
>> internal policies. We may also collect email traffic headers for analyzing
>> patterns of network traffic and managing client relationships. For further
>> information see: https://www.iqvia.com/about-us/privacy/privacy-policy..
>> Thank you.
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>