Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Brandon Long <blong@fiction.net> Fri, 18 August 2017 18:51 UTC

MIME-Version: 1.0
In-Reply-To: <CAD2i3WPuiMw6Gbdw0E+Gh=yNDfNjECMrqLHKPUspq_h6dnpbnA@mail.gmail.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <166070f0-4ba1-70da-1f73-885b4a7f7640@gmail.com> <1502497178.4103451.1070917304.23DD466D@webmail.messagingengine.com> <598F9484.7020700@isdg.net> <CABuGu1p=oLfLRkuoaDHoz3Cv3_FrURdsFPzkac7jNzBpqBmiSg@mail.gmail.com> <599484FB.9050908@isdg.net> <1502929303.4038704.1075868960.5D80A788@webmail.messagingengine.com> <CAD2i3WN_bmDgmQBw3pnyu7vWJJM2Kzwgru87VhK=NA_H91B+og@mail.gmail.com> <1502930858.4042926.1075890568.5069945B@webmail.messagingengine.com> <CABuGu1ofdkP6Gdsfin6KfpiTJW39gXz8Fa0iAAmXfcvyWGZxdA@mail.gmail.com> <CAD2i3WPuiMw6Gbdw0E+Gh=yNDfNjECMrqLHKPUspq_h6dnpbnA@mail.gmail.com>
From: Brandon Long <blong@fiction.net>
Date: Fri, 18 Aug 2017 11:51:39 -0700
Message-ID: <CABa8R6u_U8Z5nkPkUMWTg5jWBXKASnq6Z4z+v=nOZr7unKKhuQ@mail.gmail.com>
To: Seth Blank <seth@sethblank.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="001a1145512099e25605570b9e42"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KLUY9mq3Oi9LdFkQdJ0S0j46k2k>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Precedence: list

On Fri, Aug 18, 2017 at 10:00 AM, Seth Blank <seth@sethblank.com> wrote:

> On Thu, Aug 17, 2017 at 11:46 PM, Kurt Andersen <kurta@drkurt.com> wrote:
>
>> So I was able to retrace our design steps which led to the 3-piece model
>> (AAR + AMS + AS) and the reasoning for the AS, signing just the ARC header
>> sequence was to provide the verifiable chain of custody trace (though, of
>> course, only from participating intermediaries). Some of the recent tweaks
>> to the spec to deal with malformed sets of ARC header fields have weakened
>> that original idea.
>>
>> In keeping with Bron's general idea to simplify, I'd suggest that having
>> an AAR + [optional AMS] + AS would be a close approach for handling steps
>> which do not break the ingress signature. Skipping the AMS would be a sign
>> to downstream intermediaries that the prior DKIM or AMS was still valid
>> upon egress. (certain details would have to be worked out)
>>
>> Does that help the conversation?
>>
>
> No, I think this is a huge step in the wrong direction.
>
> Right now, we've got deployed code that we know works and improves the
> landscape. Everything else is - rightly or wrongly - conjecture.
>
> Let's keep the tech stable and move to experimentation.
>
> If anything, this is an excellent question for receivers - when evaluating
> AMS/AS, were there any situations where you required both signatures to
> truly validate a chain and make a delivery decision, or with the added ARC
> payload is now just having one sufficient?
>

I'm leary that removing the AMS on certain hops is the right choice, here.
Without the AMS, the extra AAR/AS is not tied to this message directly, so
I'm unsure how to handle any assertions made in the AAR.  This also feels
like the opposite of what Bron is asking for.

I also proposed a month or so back some simplifying changes which were
largely met with radio silence, that would have partially mitigated some of
Bron's operational concerns, notably to either require the s/d be the same
on AS/AMS or to eliminate the signature and s/d on AMS completely,
switching the AMS to a hash that would then be covered by the AS.  That
doesn't reduce the number of crypto ops as much as his AMS only based
proposal (which presumably would halt at the first broken AMS).

Another option would be to change our expectations, that is to say that
signing by non-modifying hops is optional.

Brandon

[dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos