Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
Hector Santos <hsantos@isdg.net> Fri, 31 May 2019 15:02 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99AD1201E3 for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 08:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=la09Q0E8; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=QrP6Jg6Z
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjBoSuwt7X9U for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 08:02:17 -0700 (PDT)
Received: from mail.winserver.com (mail.santronics.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 0FDEA12026A for <dmarc@ietf.org>; Fri, 31 May 2019 08:02:14 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4133; t=1559314933; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=7etUV/W81ChCS7noh9YnVtUlSno=; b=la09Q0E8he1ko6IdCNUlNoiF+C8WJBkMZdKnV4IyZy4AinkoED5lNvHywPPCiY AeVG64Pst79www0V75n9pglExWWj/ufMFOBOssY/d4Pic4LLb21n5cVA5D8dvhyJ SJBptwGAcT0JtL+cvUFMa0GkIyk0pfoq+26pq8LnPit/Q=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Fri, 31 May 2019 11:02:13 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 107383898.58212.1500; Fri, 31 May 2019 11:02:12 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4133; t=1559314756; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=0rtiydh dXnp60RoP/KodDg9mcv+K80RIRTonw/f0wyk=; b=QrP6Jg6ZnjEWEzlshjgb9n2 0k2Z8xsgSdDtDxXNqI6vKSDWbznY1MedMYzjv3P53IIJ/DWcBnRNbYlQBNGhLLMs loO2f0zWfpVUWrJNRsuS1pIZgwOWqlMXCzcyBx3LoTz0YGm5GkOD5vGRZZUmACAP HJZojY/z9f6RSf5PD79A=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Fri, 31 May 2019 10:59:16 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 1679611582.9.252400; Fri, 31 May 2019 10:59:15 -0400
Message-ID: <5CF141F6.7030000@isdg.net>
Date: Fri, 31 May 2019 11:02:14 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> <20190526144848.08A772014A0BF4@ary.qy> <CAL0qLwbxwLTpgYJN9qBTzi2oN1EMvAYuNoDbw5Rx5W46-WNyLA@mail.gmail.com> <alpine.OSX.2.21.9999.1905301712140.76792@ary.qy> <c559a331d90b49eba5b5f6e35ff4774a@bayviewphysicians.com> <1931a4e4-7112-56ae-24e6-b138466392b4@dcrocker.net> <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
In-Reply-To: <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/K4XTZDkPz2x02grF8MBG0kmXXTI>
Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 15:02:24 -0000
On 5/31/2019 6:59 AM, Douglas E. Foster wrote:
> DKIM was supposed to provide sender authentication when SPF was
> invalidated by forwarding, so DMARC said that the two techniques
> should be evaluated together.
Unfortunately, DMARC did not have a policy that offered that output.
SPF >> FAIL
DMARC >> PASS?
Overall, DMARC failed to cover all the possible scenarios of mixed
signatures.
To cover all aspects, the DKIM POLICY model has to offer 3rd party
signature conditions. In the DSAP proposal, it highlighted this as
the broader possible options:
https://tools.ietf.org/html/draft-santos-dkim-dsap-00#section-4.2
+-----------------------------------------------------------------+
| op= | 3p= | Domain Policy Semantics |
|=================================================================|
| empty | empty | No mail expected |
|-----------------------------------------------------------------|
| never | never | No signing expected |
| never | always | Only 3P signing expected |
| never | optional | Only 3P signing optional |
|-----------------------------------------------------------------|
| always | never | OP signature expected |
| always | always | Both parties expected |
| always | optional | OP expected, 3P may sign |
|-----------------------------------------------------------------|
| optional | never | Only OP signing expected |
| optional | always | OP expected, 3P expected |
| optional | optional | Both parties may sign. |
+-----------------------------------------------------------------+
That covered all possible combinations.
We actually wrote an IETF functional spec regarding Sender Signing
Policies:
rfc5016 Requirements for a DKIM Signing Practices Protocol
https://tools.ietf.org/html/rfc5016
Abstract
DomainKeys Identified Mail (DKIM) provides a cryptographic mechanism
for domains to assert responsibility for the messages they handle. A
related mechanism will allow an administrator to publish various
statements about their DKIM signing practices. This document defines
requirements for this mechanism, distinguishing between those that
must be satisfied (MUST), and those that are highly desirable
(SHOULD).
But then something happen as this document was being completed -- list
administrators got scared that DKIM Policy was gaining tractions and
stepping into their market toes. After all, we had "30 years" of
legacy list operations, we did not want DKIM Policy interfering with
the broad range of established list distribution operations. So this
RFC5016 "Blocker" was written at the last minute to preempt it from
happening:
Section 5.3, Item 10
https://tools.ietf.org/html/rfc5016#section-5.3
10. SSP MUST NOT provide a mechanism that impugns the existence of
non-first party signatures in a message. A corollary of this
requirement is that the protocol MUST NOT link practices of first
party signers with the practices of third party signers.
INFORMATIVE NOTE: the main thrust of this requirement is that
practices should only be published for that which the publisher
has control, and should not meddle in what is ultimately the
local policy of the receiver.
That was basically, a "Don't step on my turf!!" requirement. It also
meant "Local Policy Always Prevail" regardless of what a Domain
published which is always the case anyway. Does not need to be stated.
But overall, this is what help demote SSP, ADSP, ATPS and DKIM
policy in general. ADSP was abandoned.
But no one can kill a good idea, the proof of concept was too
powerful, hence it returned as DMARC but as an informational status
document to avoid the IETF mch higher review process.
I have no idea how a high overhead, complex ARC will resolve this
problem unless
it comes with a 3rd party signature concept with an extended DMARC
"arc=y" tag:
arc=y If the 1st party signature failed, then authorize the XYZ
domains using ARC seals to promote a failure to a pass.
How would you specify the 'authorization" of XYZ domains and do so at
scale?
--
HLS
- [dmarc-ietf] Debugging and preventing DKIM failur… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Дилян Палаузов
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Murray S. Kucherawy
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dotzero
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Doug Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Elizabeth Zwicky
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Stan Kalisch