IETF Logo Mail Archive

[dmarc-ietf] Clarifying question: AAR coverage by AMS

Seth Blank <seth@valimail.com> Thu, 25 May 2017 22:47 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AEAC127B52 for <dmarc@ietfa.amsl.com>; Thu, 25 May 2017 15:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmLj1_FServx for <dmarc@ietfa.amsl.com>; Thu, 25 May 2017 15:47:52 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F32A0129BD4 for <dmarc@ietf.org>; Thu, 25 May 2017 15:47:51 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id c13so192654065qtc.1 for <dmarc@ietf.org>; Thu, 25 May 2017 15:47:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:from:date:message-id:subject:to; bh=ns0MckXN3UyQl66XpSIl82oHyde31LAda7lV2qXHUCY=; b=M0cy/6fCtxdJz9Ep1G1gvUpYhwZZhS87Xe32jhpYj/w4SyRqaOOcNKgO0antSghNvU VPpcfZRZ51qxMCoJDToN69kqX7aqXuJ8WZNSW9hhjTCOjr8UJ/umQvQIaBqaSwHGZgPd S9tl6W3CnO4LrNvUR85RdeN6iPyeJSquNQp7sG2Wf9BdC/MmSkHbKuFiENYxws28QmXd OQBXo9junHdIEh5NtbAOxvQZYUI7S9H29T7lsPrviGxnr5srC4TbyQhQMDsObtA/q7mC PIxpISUwPeLwKl1F/TtVx7CgiUvLYR2oDZeKavucNrGayfxgzUdxrPHFDMUNMYOp/gIR VsXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ns0MckXN3UyQl66XpSIl82oHyde31LAda7lV2qXHUCY=; b=XIluNpEz9DZ73NGZTcqTLAsdM+B5S85xokXgCzbWCbpQs3QlgVCS/aALfCQdJgA4ht 3DqdYrnAnIJkGAa3i7b/kzRol6dZPMK3o6DPD9ZlFEZY2twxVSupDcDsA57Dei19ZFtw h4DbGwn7ql3aukjOPdQSC9r2un09QQu0U6Lt4fQ52LH/glWoooRUyLfB9VPUcoDNpMcd 7qpj/cafE6Tgkwlz6BLIBoxZbloOq2c20tKb8ZOqfnkRNBEMWQ171dxTL532nXMLZ7Ue jdVVxw7Gea+ymZEHmxPy8VMOiHRD7+nLCVEwWi+bwHsbadRYTtuftWVsmaCNyGRH1nP8 PcVg==
X-Gm-Message-State: AODbwcBlkOzTigviM4QDFLeRQblUeHLj5BupRHV/x4Sg59LJR7yHLmnH iGuiVdmyFvYwq2Cnz/4BysFAqY+d4ZyrVSqWwg==
X-Received: by 10.200.55.184 with SMTP id d53mr43396179qtc.94.1495752470892; Thu, 25 May 2017 15:47:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.42.242 with HTTP; Thu, 25 May 2017 15:47:30 -0700 (PDT)
From: Seth Blank <seth@valimail.com>
Date: Thu, 25 May 2017 15:47:30 -0700
Message-ID: <CAOZAAfMtaDkTxuWB9M_3qD7tLGDWGBxpKpb8v4NyX1wjTThK=Q@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="001a113b0390b4b175055061023b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KvpNpf_9ywZpK6oMcwJ1OJthiHM>
Subject: [dmarc-ietf] Clarifying question: AAR coverage by AMS
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2017 22:47:54 -0000

This might be a non-issue, but we're asking this question specifically
because we've run into an implementation issue within openarc that feels
weird and seems like a matter the WG may want to weigh in on.

Our expectation is that, for any given ARC Set n, AMS[n] would cover AAR[n].

Currently in openarc, AMS[n] covers all previous AAR[1..n-1] but *not*
AAR[n] because AAR[n] isn't created until substantially later in the flow.

Technically, this behavior is within spec as defined in
https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-03#section-5.1.2.1.1
:

   Participants may include any other header fields within the scope of
   the ARC-Message-Signature signature except that they MUST NOT include
   ARC-Seal headers fields.  In particular, including all DKIM-Signature
   header fields and all ARC-Authentication-Results header fields is
   RECOMMENDED.

Is it worth guaranteeing that, if signing AARs, AMS[n] must cover AAR[n]?

Or is this irrelevant because AS[n] is required to cover AMS[n] and AAR[n]?
But if so, why recommend the AAR be covered by the AMS at all in the first
place?

While the differences between these two assertions appear to be benign
(AAR[n] is always signed by AS[n], so whether or not it is in AMS[n]
shouldn't matter), the spec leaves room for confusion about the right thing
to do.

What was the original intention here and does this need clarification?

-- 

[image: logo for sig file.png]

Bringing Trust to Email

Seth Blank | Head of Product for Open Source and Protocols
seth@valimail.com
+1-415-894-2724 <415-894-2724>

v2.23.0 | Report a Bug | By Email