IETF Logo Mail Archive

Re: [dmarc-ietf] Additions to draft - Security Considerations

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 27 April 2022 00:42 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB100C209B44 for <dmarc@ietfa.amsl.com>; Tue, 26 Apr 2022 17:42:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WfD4OFRvzgb5 for <dmarc@ietfa.amsl.com>; Tue, 26 Apr 2022 17:42:02 -0700 (PDT)
Received: from mail-oa1-x2e.google.com (mail-oa1-x2e.google.com [IPv6:2001:4860:4864:20::2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 642E6C20995B for <dmarc@ietf.org>; Tue, 26 Apr 2022 17:42:02 -0700 (PDT)
Received: by mail-oa1-x2e.google.com with SMTP id 586e51a60fabf-e2fa360f6dso435777fac.2 for <dmarc@ietf.org>; Tue, 26 Apr 2022 17:42:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=WnbCJ/4pPRA2wR21bzx+c3Eq7jAcIhl2YKbHsfMFxfo=; b=bRCB6mtqpHSIVoAo2G0YA+fEfyz4LO6aR+QHiZXU769LUl3LwSFcuuF2Uu35bF8zUI YHDVrUTFdqTzZgcIvfozeXl4C/F+/C0541osI4vppznuExIVu0pxQ8YxalgLZJSlhQV7 UufyXEOHc9JVa4RYu/Gl8awX7L01jmoI1R7tCJq09cU0InIiXFwSRx4nNdXosE/Rv9Z4 OU+3+78h9wSnhcxVhjDna/MHUF0x5q2KbqsoYCT62lvceV5jff57Vh1tsaxWF9EO5Rge tVJNNAGpqoypMdHDSmrc6j+pa9PNg99Qsic7YmMJKG5JECGwuiYp1fieIW1KS8Z7nA9r JN5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=WnbCJ/4pPRA2wR21bzx+c3Eq7jAcIhl2YKbHsfMFxfo=; b=yn0hnddcUUgHh1GrUvo7oJRVCPoGpEIGYb/y5sunuc0UysBuc4mOGQQnvcgVlVudn/ ZTnR9Z+7lEB8k4CHPGnN14dqeDEJ96OUVkKDVedjcFJiP//Brq27ZvGQiL1Tr7ZEep5H ePwvrbOk1j3k/uNXjoQV5NAnYGvouebSj6CNn/bG/23a/e54YCsAAV0vKjNrXJ5g9W6F HdofKD1z+BSMGHw0Vd+/mPtJo88VZZ+J2oY9j01hHfKU9myl9zck/jtAOCs9oAH6GVim c+td9rr/H9dZNYdEnUE2FwP3XyYU64cghHdphYFQdBdRBfTNqK/s0BfMH55EuEE1BmQu NI/w==
X-Gm-Message-State: AOAM532Ult2m5t8fTVaygg/gYjsz+5a6j++bM+lJoh9cGsfJ2MeEm9+6 SSuValCP3+DCFcRaS59jQd1nu9fWg46jiaipK82wL2D1
X-Google-Smtp-Source: ABdhPJyxdTwnsyC0jPClVEZGI57f7V5Dq3g4zsk427sJT1AY0nHfhi4t+XR+h/DgSI/KLzFidZ8l/c2hUKCtGMYaKec=
X-Received: by 2002:a05:6870:2041:b0:de:f8b7:d98e with SMTP id l1-20020a056870204100b000def8b7d98emr10576874oad.51.1651020120899; Tue, 26 Apr 2022 17:42:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfz5MWDuQa1DJQE_YK9gAUL4P-se4CeGAGYCf+c6D0ysaA@mail.gmail.com> <2934216.d6BrxOLGqM@zini-1880> <83b5228b-adca-3a5d-3056-3ec5befa634b@tana.it> <FC08B97A-500B-4341-AF45-B9D93F432786@kitterman.com> <f56d41a4-86e0-e195-dd0c-32189fca61c8@tana.it>
In-Reply-To: <f56d41a4-86e0-e195-dd0c-32189fca61c8@tana.it>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 26 Apr 2022 20:41:51 -0400
Message-ID: <CAH48Zfwmp_HqNvHZ7TL3sNVDXiSXxYtPEQkKswsYS00AyZeh7g@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d2c46005dd981320"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/LkEPP4PMJ4M2C7yKQuncv-HEjLo>
Subject: Re: [dmarc-ietf] Additions to draft - Security Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Apr 2022 00:42:06 -0000

Alessandro has figured me out.   I am trying to be very clear about the
advantages of strict alignment and same-domain policies.    I would stop
short of calling it a campaign, because I have no intent of trying to
deprecate the other options.

Security considerations are about ensuring that the evaluator understands
risks.   These need to be in the document because this forum helps us think
about things that may not be obvious to the reader without our help.
Similarly, the mitigations are advice to the message senders:   if you want
to minimize distrust by the evaluator of your message, here are things to
do and things to avoid.

We have four levels of trust related to organizational alignment, for
lowest to highest trust:
- Organization boundary unknown (no DMARC policy)
- Organization boundary selected but not verified (the tree walk)
- Organization boundary selected and verified (needs discussion)
- Organization boundary not needed (strict alignment and exact match
domains)

A message sender who wants to maximize trust can do so by making
organization ambiguity irrelevant to the approval decision.


Organization boundary verification:

We have established that the organization boundary should be verified when
the domain path includes a private registration.  This is because the tree
walk might select the registrar domain instead of the client
domain, allowing a private registration client to impersonate the parent or
the sibling domains.    Since we don't know which domain paths contain
private registries, we need to verify all organizational domain selections.

Note that it is not enough to handle this problem with psd=n, because the
evaluator needs to know that the psd=n which he found is the correct one
for his DNS path.   Although the RFC 7489 (PSL) method does not have a
verification method, it could be used as a verification method for the tree
walk.   However, this approach would not do enough to solve the existing
PSL problems.  Instead, we need a DNS-based method of doing this.   My
OrgBelow token proposal accomplishes that purpose, by providing explicit
information about boundaries from the perspective of both the From domain
and the selected Organizational domain.    When they agree, we have the
desired evidence of common administrative control.   When they do not
explicitly agree, we have ambiguity.   In most cases, the evaluator will
choose to accept the ambiguity, but we should provide a mechanism for the
message sender and evaluator to operate with minimal ambiguity and minimal
fear.  So we need a token like OrgsBelow.

Doug



On Tue, Apr 26, 2022 at 12:57 PM Alessandro Vesely <vesely@tana.it> wrote:

> On Tue 26/Apr/2022 14:53:27 +0200 Scott Kitterman wrote:
> > On April 26, 2022 8:06:50 AM UTC, Alessandro Vesely <vesely@tana.it>
> wrote:
> >>On Mon 25/Apr/2022 05:56:46 +0200 Scott Kitterman wrote:
> >>>
> >>> How about something like this:
> >>>
> >>> 9.7 Determination of the Organizational Domain For Relaxed Alignment
> >>>
> >>> DMARC evaluation for relaxed alignment is highly sensitive to errors
> in the
> >>> determination of the organizational domain if the RFC5322.From domain
> does not
> >>> have a published policy.  If an incorrectly selected organizational
> domain is
> >>> a parent of the correct organizational domain, then relaxed alignment
> could
> >>> potentially allow a malicious sender to obtain DMARC PASS.  This
> potential
> >>> exists for both the legacy [RFC 7489] and current [Section 4.8]
> methods for
> >>> determining the organizational domain.
> >>
> >>
> >>I object that this text undermines the robustness of the protocol and
> may sound like a campaign for strict alignment.  Relaxed alignment is safer
> from a flexibility POV, as it accounts for occasional @
> hostname.example.com.  It has played a relevant role in DMARC success,
> and it's not by chance the default.
> >>
> >>Here's an alternative text:
> >>
> >>    DMARC evaluation for relaxed alignment is sensitive to errors in the
> >>    determination of the organizational domain due to erroneous DNS
> settings by
> >>    either the organizational domain or its PSD parent.  If the PSD
> parent is
> >>    incorrectly selected as organizational domain, then relaxed
> alignment can
> >>    potentially allow a malicious sender to obtain DMARC PASS while
> >>    impersonating the relevant organization.  This potential exists for
> both
> >>    the legacy [RFC 7489] and current [Section 4.8] methods for
> determining the
> >>    organizational domain.
> >>
> >>
> >>> This issue is completely avoided by use of strict alignment and
> publishing
> >>> DMARC records for all domains/sub-domains used as RFC5322.From domain
> in an
> >>> organization's email.
> >>
> >>
> >>   or by publishing psd=n.
> >>
> >>
> >>> For cases where strict alignment is not appropriate, this issue can be
> >>> mitigated by periodically checking the DMARC records, if any, of PSDs
> above
> >>> the organization's domains in the DNS tree and (for legacy [RFC 7489]
> checking
> >>> that appropriate PSL entries remain present).  If a PSD domain
> publishes a
> >>> DMARC record without the appropriate psd=y tag, organizational domain
> owners
> >>> can add psd=n to their organizational domain's DMARC record so that
> the PSD
> >>> record will not be incorrectly evaluated to be the organizational
> domain.
> >>
> >>
> >>The latter alternative is obviously easier than monitoring the DNS
> settings of the PSD parent, and has to be carried out anyway in case.
> >
> > What specifically do you object to?
>
>
> A quick skim through your text seems to be summarizable as "DMARC has a
> defect
> but you can overcome it by using strict alignment".  I know that's not
> what you
> meant, but it sounds quite like that.
>
>
> > Do you think it's inaccurate that this concern is limited to relaxed
> alignment?
>
>
> No, I think it's wrong to blame relaxed alignment.
>
>
> > The specific suggestion you added (or by publishing psd=n) is already in
> the text later on, so I'm not understanding what you think the problem is
> or what you want to do about it?
>
>
> The alternative text above differs slightly from the first paragraph of
> the
> text you proposed, in an attempt at watering down that meaning.
>
>
> Best
> Ale
> --
>
>
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email