Re: [dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows
Scott Kitterman <sklist@kitterman.com> Wed, 26 April 2023 15:52 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CED70C1519AD for <dmarc@ietfa.amsl.com>; Wed, 26 Apr 2023 08:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="3+QvdaAA"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="gwqSSB56"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3kCkVba9Pd6j for <dmarc@ietfa.amsl.com>; Wed, 26 Apr 2023 08:52:28 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BF79C1519A1 for <dmarc@ietf.org>; Wed, 26 Apr 2023 08:52:26 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id E797AF802E7; Wed, 26 Apr 2023 11:52:13 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1682524319; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=NG0dizMrZUlDtFh9dfKhWTZWfuP28LfbPKZ7PeHPamw=; b=3+QvdaAA6xI+dYOn2yd/GWXbPPKPhoBBpSkNH8VGHgFXDg+CEoTwuSnwxCSyqY9R331Sq oNeGGc8BhMMVU7HDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1682524319; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=NG0dizMrZUlDtFh9dfKhWTZWfuP28LfbPKZ7PeHPamw=; b=gwqSSB56/4ghOlQvxubdhfIumy01tLH1g+d8aEFsi+Yr3iJY8FOyVs58W0G3HWKTLEdYD e9g5c1h2Mz/fYCSdARNpSocT0NUAAoNMH45Qo025xtlQwmaBBx00gagzlsUO/7ovJYRfxFP Q6F+Xb+caerzLSPgCIrAKFrSXsRqExx8yM9Rhb/bsfnt+FhUMtxPFPiHHU7tpxiQ9H7quIi drd1OMOzBviZxTHlFXdvUt+uOPDdhbSWIN69B48HEBXXOkj24MlcRCamCK6QSl9nnRxPClc gPt0evdbNzZNVZCLp7Rtwh2AH8t+BFLr7FWglZZLirfke41B78Z74LbekXkg==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 26CFAF8014A; Wed, 26 Apr 2023 11:51:59 -0400 (EDT)
Date: Wed, 26 Apr 2023 15:51:49 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <6449424A.5070207@isdg.net>
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <29216533.CRhL9lMF2B@localhost> <9aaeadee-c29a-efe8-2c43-ed6fc1b3ed0d@tana.it> <D29CB79C-AAEB-4999-92C7-D19389916D98@kitterman.com> <6449424A.5070207@isdg.net>
Message-ID: <A5F72E51-8428-4C10-9046-25E3B7140825@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Jtq7C0Ax89iMdKmv50aMmCbcA-A>
Subject: Re: [dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2023 15:52:32 -0000
On April 26, 2023 3:24:58 PM UTC, Hector Santos <hsantos=40isdg.net@dmarc.ietf.org> wrote: > > >On 4/26/2023 7:21 AM, Scott Kitterman wrote: >> On April 26, 2023 8:08:39 AM UTC, Alessandro Vesely<vesely@tana.it> wrote: >>> On Tue 25/Apr/2023 20:27:18 +0200 Scott Kitterman wrote: >>>> My recollection is that a general formulation that I proposed had at least >>>> some traction out of both groups: >>>> >>>>> [some appropriate description] domains MUST NOT publish restrictive DMARC >>>>> policies due to interoperability issues >>>> Leaving aside (for now) the question of what goes into [some appropriate >>>> description] and with the assumption that there will be some non-normative >>>> discussion to amplify whatever that is and probably give some indication about >>>> what domains might do to not be one of those domains, is there anyone who just >>>> can't live with that formulation of the situation? >>> Me, for one. Because more than 98% of domains are going to fall into the description, however we word it, that statement makes the whole I-D nonsensical. Cannot we just tell the problem without MUSTard? >>> >>> In any case, using the complement of [some appropriate description] is certainly easier. For example: >>> >>> Forcing authentication into Internet mail by publishing restrictive DMARC >>> policies breaks some well established patterns of usage. Publishing such >>> policies is thus RECOMMENDED only for domains [in this other appropriate >>> description]. >>> >> Thanks. >> >> I understand your objection to be that the proposed description of the interoperability problems would apply to too many domains, regardless of the modifier we might use. Is that correct? >> >> I don't understand the technical issue associated with that objection. I get that you feel the construction is too negative, but I don't have a sense you think it's inaccurate. Focusing on the technical aspects of this, would you please help me understand what you think is technically incorrect about it? >> >> Scott K > >Scott, > >I will two to remained focus. With Barry's MUST NOT text and as you surmised: > > [some appropriate description] domains MUST NOT publish restrictive DMARC > policies due to interoperability issues > >I believe you are asking if this is technically correct ... for IETF PS passage? > >To me, there were a number of folks who indicated support for MUST NOT but preferred more details. > >We will need to deal with the consequences when existing restrictive domains have the proverbial "book" thrown at them for their user's actions which creates the necessary known mitigations; Rewrite and Subscription/Submission controls. As advice to MLS/MLM implementators, the latter should be a natural part of the protocol when honoring the policy. The former is a security tear down when intentionally not honoring the policy. > >With no deliberation as to what the interop issues are and the mitigation, not closing the loop holes for implementators, I see a new potential security issue is highlighted. The "MUST NOT due to Interop issues" may require a security review with a new possible Security Section 11.9 "Intentional DMARC Security Tear down Threats" or it may fall under an updated section 11.4 as a Display Name Attack. > >So is it technically correct and sufficient? > >I would be flabbergasted if this was IETF/IESG "technically correct" as a PS. Maybe as an Informational Status, but difficult as a PS and I believe Barry may have suggested that. I agree with that if left as is. > I agree that more will be needed. Thanks for the feedback. The last run at this question ended up being a mess, so I'm trying to see if we can get further by going in small steps. Scott K
- [dmarc-ietf] Proposed text for p=reject and indir… Barry Leiba
- Re: [dmarc-ietf] Proposed text for p=reject and i… Jim Fenton
- Re: [dmarc-ietf] Proposed text for p=reject and i… Todd Herr
- Re: [dmarc-ietf] Proposed text for p=reject and i… Mark Alley
- [dmarc-ietf] DMARCbis and M3AAWG Email Auth BCP (… Todd Herr
- Re: [dmarc-ietf] Proposed text for p=reject and i… Todd Herr
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Brotman, Alex
- Re: [dmarc-ietf] Proposed text for p=reject and i… Dotzero
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Todd Herr
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Todd Herr
- Re: [dmarc-ietf] Proposed text for p=reject and i… Brotman, Alex
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Pete Resnick
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… John Levine
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… Todd Herr
- Re: [dmarc-ietf] Proposed text for p=reject and i… Barry Leiba
- Re: [dmarc-ietf] Proposed text for p=reject and i… Brotman, Alex
- Re: [dmarc-ietf] Proposed text for p=reject and i… Todd Herr
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Mark Alley
- Re: [dmarc-ietf] Proposed text for p=reject and i… Barry Leiba
- Re: [dmarc-ietf] Proposed text for p=reject and i… Barry Leiba
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… John Levine
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Barry Leiba
- Re: [dmarc-ietf] Proposed text for p=reject and i… Pete Resnick
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Dotzero
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] THIS IS ABUSE (no it's not) Scott Kitterman
- Re: [dmarc-ietf] Understanding Ale's Abuse resear… Douglas Foster
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) Alessandro Vesely
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Mark Alley
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) Eric D. Williams
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… John Levine
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) Alessandro Vesely
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) Scott Kitterman
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) John Levine
- Re: [dmarc-ietf] THIS IS A DISTRACTION (it might … John Levine
- Re: [dmarc-ietf] THIS IS A DISTRACTION (it might … Scott Kitterman
- Re: [dmarc-ietf] THIS IS A DISTRACTION (it might … Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Dotzero
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Mark Alley
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Dotzero
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Neil Anuskiewicz
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… Matthäus Wander
- Re: [dmarc-ietf] Proposed text for p=reject and i… Jesse Thompson
- Re: [dmarc-ietf] Proposed text for p=reject and i… John Levine
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… Hector Santos
- Re: [dmarc-ietf] Proposed text for p=reject and i… Barry Leiba
- Re: [dmarc-ietf] Proposed text for p=reject and i… Hector Santos
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Neil Anuskiewicz
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Matthäus Wander
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) Alessandro Vesely
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) John R Levine
- Re: [dmarc-ietf] Proposed text for p=reject and i… Mark Alley
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Laura Atkins
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Laura Atkins
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) Eric D. Williams
- Re: [dmarc-ietf] THIS IS ABUSE (it might be) John R Levine
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Laura Atkins
- Re: [dmarc-ietf] Proposed text for p=reject and i… Dotzero
- Re: [dmarc-ietf] Proposed text for p=reject and i… John Levine
- Re: [dmarc-ietf] Proposed text for p=reject and i… Dotzero
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… Douglas Foster
- Re: [dmarc-ietf] Proposed text for p=reject and i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed text for p=reject and i… Emanuel Schorsch
- Re: [dmarc-ietf] Proposed text for p=reject and i… Dotzero
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Mark Alley
- Re: [dmarc-ietf] Proposed text for p=reject and i… Laura Atkins
- Re: [dmarc-ietf] Proposed text for p=reject and i… Wei Chuang
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Jim Fenton
- Re: [dmarc-ietf] Proposed text for p=reject and i… Jim Fenton
- Re: [dmarc-ietf] Proposed text for p=reject and i… Mark Alley
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Scott Kitterman
- [dmarc-ietf] Search for some consensus, was: Prop… Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … John Levine
- Re: [dmarc-ietf] Search for some consensus, was: … Hector Santos
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Jesse Thompson
- Re: [dmarc-ietf] Search for some consensus, was: … Hector Santos
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Alessandro Vesely
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Hector Santos
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … John Levine
- Re: [dmarc-ietf] Search for some consensus, was: … Jesse Thompson
- Re: [dmarc-ietf] Search for some consensus, was: … Jesse Thompson
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Jesse Thompson
- Re: [dmarc-ietf] Search for some consensus, was: … Jim Fenton
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Hector Santos
- Re: [dmarc-ietf] Search for some consensus, was: … Brotman, Alex
- Re: [dmarc-ietf] Search for some consensus, was: … Alessandro Vesely
- Re: [dmarc-ietf] Search for some consensus, was: … Alessandro Vesely
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Jesse Thompson
- Re: [dmarc-ietf] Search for some consensus, was: … Jesse Thompson
- Re: [dmarc-ietf] Search for some consensus, was: … Jesse Thompson
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Search for some consensus, was: … Jesse Thompson
- Re: [dmarc-ietf] Search for some consensus, was: … Jesse Thompson
- Re: [dmarc-ietf] Search for some consensus, was: … Alessandro Vesely
- Re: [dmarc-ietf] Search for some consensus, was: … Alessandro Vesely
- Re: [dmarc-ietf] Proposed text for p=reject and i… Alessandro Vesely
- Re: [dmarc-ietf] Search for some consensus, was: … Scott Kitterman
- Re: [dmarc-ietf] Proposed text for p=reject and i… Hector Santos
- [dmarc-ietf] Summary: Search for some consensus, … Scott Kitterman
- Re: [dmarc-ietf] Summary: Search for some consens… Douglas Foster
- Re: [dmarc-ietf] Summary: Search for some consens… Hector Santos
- Re: [dmarc-ietf] Summary: Search for some consens… Douglas Foster
- [dmarc-ietf] Add MLS/MLM subscription/submissions… Hector Santos
- Re: [dmarc-ietf] Add MLS/MLM subscription/submiss… Douglas Foster
- Re: [dmarc-ietf] Add MLS/MLM subscription/submiss… Emanuel Schorsch
- Re: [dmarc-ietf] Add MLS/MLM subscription/submiss… Douglas Foster
- Re: [dmarc-ietf] Add MLS/MLM subscription/submiss… Alessandro Vesely
- Re: [dmarc-ietf] Add MLS/MLM subscription/submiss… Douglas Foster
- Re: [dmarc-ietf] Add MLS/MLM subscription/submiss… Hector Santos
- Re: [dmarc-ietf] Add MLS/MLM subscription/submiss… Brotman, Alex
- Re: [dmarc-ietf] Add MLS/MLM subscription/submiss… Hector Santos
- [dmarc-ietf] Fwd: Summary: Search for some consen… Scott Kitterman