IETF Logo Mail Archive

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Hector Santos <hsantos@isdg.net> Wed, 29 July 2020 17:34 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC22A3A0C2A for <dmarc@ietfa.amsl.com>; Wed, 29 Jul 2020 10:34:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=ITA8HjQ/; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=kJ9ksFTe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Luag4pD5yUWE for <dmarc@ietfa.amsl.com>; Wed, 29 Jul 2020 10:34:57 -0700 (PDT)
Received: from mail.winserver.com (catinthebox.net [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB2E83A0DE1 for <dmarc@ietf.org>; Wed, 29 Jul 2020 10:34:56 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=3356; t=1596044088; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=FkrbJAburRqRpbkjRb0HVPaog6g=; b=ITA8HjQ/+Zq2Thi6mEFKDSaHm+RWB9ipmdeVqM6o+QRwXa47PE1Jjh4dPaUSfb QXAJ+VFTyyJ4Pd8v4OB82LKwgyAOQZm5m6WuzLIHZn0y+1DF+Hl1BMEKlMKBKIrx K9kebz54XhXS/xccdbHJNu4CxSklfINg6s1WhmS1CUPBQ=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Wed, 29 Jul 2020 13:34:47 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 2476379291.1.4892; Wed, 29 Jul 2020 13:34:47 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=3356; t=1596043974; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=vu8OJzm bmms9AOTfstE9VZiU15M+MEHugNwfWPyL1Nc=; b=kJ9ksFTe1xWmQ1SVCypNm/N RUf8v0y2CJ55EAMNasuOSyfM0FjJpMGreI79po9XVNk7Qi9vQ2vkH34wUSUlrw9D 0yRC8fjJui6Sv9WLfcTFjkYM1KWpDiVMohmFz4yoqxEgTXbuX2Ht3NKFUMdgsG0y E7AReZpDQVti6s1/5WX0=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Wed, 29 Jul 2020 13:32:54 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 2187149546.1.60784; Wed, 29 Jul 2020 13:32:53 -0400
Message-ID: <5F21B338.8000700@isdg.net>
Date: Wed, 29 Jul 2020 13:34:48 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Doug Foster <fosterd@bayviewphysicians.com>, dmarc@ietf.org
References: <BY5PR13MB29998094418C8A6C25902569D7730@BY5PR13MB2999.namprd13.prod.outlook.com> <c0361cb2-b25b-5d75-cb1f-f9c87e3ecccc@tana.it> <AE9A3A9F-27FC-4935-B8E6-AB0CE1A6D5E2@wordtothewise.com> <5F204CB3.7080404@isdg.net> <000001d66503$4d447e50$e7cd7af0$@bayviewphysicians.com>
In-Reply-To: <000001d66503$4d447e50$e7cd7af0$@bayviewphysicians.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KxW10InPJHXfMnJhg2R9j6oEdkk>
Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 17:35:02 -0000

On 7/28/2020 1:19 PM, Doug Foster wrote:
> Hector, I do not understand this comment:
>
> "The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party domains. DMARC did not address the problem and reason ADSP was abandoned. Hence the on-going dilemma."
>

SSP, ADSP and DMARC are technical specs for a DKIM POLICY Model.

The problem we have with DMARC was the same with SSP which was 
replaced by ADSP which attempted to ignore the problem. Generally, as 
it often done with ambiguous issues in the IETF, we ignore it, we make 
it out of scope, we keep it open ended, etc.  It just wasn't resolved 
and ADSP was abandoned but returned as DMARC but it also kept the same 
3rd party ignorance as ADSP did.   If this issue is not resolved for 
DMARC, I see an interesting situation during DMARCBis Last Call 
explaining how we abandoned ADSP for having problem XYZ and then 
reintroduced "SUPER ADSP" as DMARC but it still has the problem XYZ.

> Domains that participate with a mailing list have the option of including the ML servers in their SPF record, or delegating them a DKIM scope and key.    But to obtain that authorization from the sending domain, someone would have to ask for it, and might not receive the desired answer.
>
> The goal of this discussion is to find a way to coerce trust.   We do not lack ways to grant trust on request.

This issue is not about the known, but the unknown. We don't have an 
issue with proactive authorization and whitelisting methods.

I've been in this DKIM project for 15+ years, and to me, the goal has 
also been to find a reasonable, scalable deterministic protocol that 
will handle unsolicited, unknown 3rd party domain signers. Not 
necessarily unknown in a bad sense, unknown that you don't know 
anything about them. So you ask the author, "Hey, is this 3rd party 
signer ok?"

SPF allows 3rd party IP declarations.  DKIM POLICY model does not 
offer this capability.

We have DKIM Policy extension proposals like ATPS (RFC6541) that 
offers a deterministic method to associate the author domain with 3rd 
party signer domains.   This authorization is defined by the 
Originating, Author Domain.

Look at my DMARC record for my isdg.net domain:

v=DMARC1; p=reject; atps=y; rua=mailto:dmarc-rua@isdg.net; 
ruf=mailto:dmarc-ruf@isdg.net;

The atps=y tells an ATPS compliant receiver that if it sees a 3rd 
party domain signature:

   Author Domain IS NOT EQUAL TO Signer Domain

Then it can do a ATPS look:

    base32(sha1(SIGNER-DOMAIN))._atps.isdg.net

So if I wanted to authorized bayviewphysicians.com to be able to sign 
for me, I would go to the wizard 
https://secure.winserver.com/public/wcdmarc,  enter your domain in the 
list of authorized signers, click Zone Record and I get a record I can 
add to my isdg.net zone:

e25dhs2vmyjf2tc2df4efpeu7js7hbik._atps  TXT ("v=atps01; 
d=bayviewphysicians.com;")

So anyone out there can see that I authorized bayviewphysicians.com to 
sign for isdg.net

It is really sample.

Whether we can "coerce" receivers to honor any of this is a different 
situation.  In general, all you can do create a PROTOCOL that makes 
good engineering sense and usable by the IETF community. If not, then 
generally systems will ignore it.


-- 
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos

v2.23.0 | Report a Bug | By Email