Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart last call review of draft-ietf-dmarc-psd-08
"Murray S. Kucherawy" <superuser@gmail.com> Tue, 19 January 2021 06:43 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7EF03A1224 for <dmarc@ietfa.amsl.com>; Mon, 18 Jan 2021 22:43:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3e2ZWPSTOdDl for <dmarc@ietfa.amsl.com>; Mon, 18 Jan 2021 22:43:16 -0800 (PST)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5B43A1221 for <dmarc@ietf.org>; Mon, 18 Jan 2021 22:43:16 -0800 (PST)
Received: by mail-vs1-xe32.google.com with SMTP id 186so8068706vsz.13 for <dmarc@ietf.org>; Mon, 18 Jan 2021 22:43:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mVNIhQlmD5spJMMzE6+T8aVKVxA++qW73OY3AtFlrvQ=; b=Eqj47BpWbhdXaXEOTlSIFdwAivLkiMIBQS5EM7ukCK5k6f2ufUJkpRJGFHIkDiG/y0 JB0/rARWE77ImjOc460hCs8+sXp+DQsg80/FJMrBIBb4Sk9oRTdDFCF7gw3d0Ucn/nBF grirjGslo4UqXdYkp9myShHdJJEUen2L/BH+lvOj//IL9HANUGccVwc8cDdk+VbwkWVc q3w6gEYFcZgTKAY/0On2INHWzUWZeQnlJD2O7q05St5/nxF6ODLMUUmo+kjSa1z8YPp1 o9vpf4ItHkR5Axf2Cv7Bk3T/91JJ8K/hVLP8HAivfy4PMF+SEbATH9ghuB/FnZb4eZ0/ 7r4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mVNIhQlmD5spJMMzE6+T8aVKVxA++qW73OY3AtFlrvQ=; b=NuDlc7KjULceC9wgIztMRE1bh60vSX2f4cYX574+Yv/XXPUQ8qXkf0Ub1LUfEENi+Q gUVDBGGBJeMysTd07uzdqOOBLmj8YjlNPUgmOQJAv/InlK/czJU0cyyMMTYNs6Q7/qH3 h1twtvdRPWAVEpm+Fhn2d7lYXplNz/JtXcAtmzG2ffbI7GbSL3hfIXyXVnFeAFaDua8q zqOVFkBRmdrpDc+muIX9bjOSHrZ1nYP+6h74HozqzF+pmi5865+15IekaWPrGXH1Jge4 X5DRIe5GwjtVl5bfZVMum3o69luZm4SAMI9Wg7ybHGtclPQZNoidbU9e2KBeFkin+BFP ypVg==
X-Gm-Message-State: AOAM531REeo7QFtiMjZikCNTt8W6NsKVgK3ONnRy3C1uXdct/ZVQ2MUy aaLDcEwRrVsKj2DfmjUIga/NcYPPNaZIUBSFi9xoI5rbibTP0Q==
X-Google-Smtp-Source: ABdhPJyCfL8tfAswplgfl+dXb0kJM2SY/mmvuDMqtf7Zge4BAKTjLd0Vmnf2wB0xg7U3Uym8i42njMA8tVXnHNKUHr8=
X-Received: by 2002:a67:2bc2:: with SMTP id r185mr1672284vsr.15.1611038594798; Mon, 18 Jan 2021 22:43:14 -0800 (PST)
MIME-Version: 1.0
References: <CADyWQ+Fb93SkiAnL4cuCfxC5Wi1ERLeKhguWqAp3j8YEa6JBSA@mail.gmail.com> <87ima4wu3s.fsf@hobgoblin.ariadne.com>
In-Reply-To: <87ima4wu3s.fsf@hobgoblin.ariadne.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Mon, 18 Jan 2021 22:43:01 -0800
Message-ID: <CAL0qLwbiOrgsEjZU_V6W8e42SRNoUh7CzyngRMR5RLeQpzrxaQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Cc: "Dale R. Worley" <worley@ariadne.com>
Content-Type: multipart/alternative; boundary="0000000000002997c905b93b27cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/M-0go6seaV_DDLXXPGySzqHLzdA>
Subject: Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart last call review of draft-ietf-dmarc-psd-08
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2021 06:43:19 -0000
In the interests of getting this document on its way, I'd like to suggest the following edits in response to Dale's most recent message. If the working group concurs, we can finally get this out to Last Call. My goal as an AD here is just to get the GenART feedback addressed, but the text is being submitted as a WG contribution for discussion and consensus consideration, not as a demand. Please process accordingly; I believe the agreement is to do another WGLC on the document before it goes on its way, so the sooner consensus is reached on all of this, the sooner it goes. First, a suggestion of my own that I think I saw elsewhere, but it's not in Dale's reply: In several places there's a reference to "DMARC [RFC7489]". That's appropriate the first time the reference is made, but I think after that you can just say "DMARC" when referring to the protocol generally, or to "RFC 7489" when you need to make a specific section or text reference. They don't need to appear together everywhere. I think Dave's original feedback has been addressed -- good stuff -- so here are my suggestions around what's left: On Mon, Nov 16, 2020 at 7:16 PM Dale R. Worley <worley@ariadne.com> wrote: > My apologies for not tending to this promptly. > > In regard to the description of the experiments, the result criteria are > rather subjective, but I don't see that as a problem. It does seem to > me that the title "PSD DMARC Privacy Concern Mitigation Experiment" is > too narrow, as only the 3rd experiment seems to be about privacy > issues. A title as generic as "PSD DMARC Experiments" would be fine. > That's OK with me, or "DMARC PSD Experiments" or "DMARC PSD Experiment" if we want to treat it all as one common thing. > Although I note that even the -09 does not define "PSD", only "longest > PSD", even though "PSD" is used in section 2.5. I suspect that PSD is > equal to "PSO Controlled Domain Name", though, or rather to some related > set of them. That needs to be cleaned up in some way. > PSD appears to be well defined in Section 2.2. In section 3.5 and later there is the phrase "[this document] longest > PSD". I'm not sure, but I think this is supposed to be "longest PSD > ([this document] section NN.NN)". > Agreed. I believe that my strongest critique was that section 1 is difficult to > understand if one does not already understand DMARC, and it does not > seem that the section has been revised. Re-reading it, I notice that it > says "DMARC leverages public suffix lists to determine which domains are > organizational domains." Ignoring that I dislike this use of > "leverage", a critical point is that it takes the existence of public > suffix lists a priori -- indeed, this use of "leverage" generally means > that the leveraged thing already exists and one is now extracting > additional benefit from that. Whereas I've never heard of public suffix > lists and would naively expect that they are difficult to create and > maintain. It might be better to say "DMARC uses public suffix lists to > determine which domains are organizational domains. Public suffix lists > are obtained/maintained/distributed by ..." > Replace all of Section 1 with this (ignore funny line wrapping): DMARC [RFC7489 <https://tools.ietf.org/html/rfc7489>] provides a mechanism for publishing organizational policy information to email receivers. DMARC allows policy to be specified for both individual domains and for organizational domains and their sub-domains within a single organization. To determine the organizational domain for a message under evaluation, and thus where to look for a policy statement, DMARC makes use of a Public Suffix List. The process for doing this can be found in Section 3.2 of the DMARC specification. DMARC as specified presumes that domain names present in a PSL are not organizational domains and thus not subject to DMARC processing; domains are either organizational domains, sub-domains of organizational domains, or listed on a PSL. For domains listed in a PSL, i.e., TLDs and domains that exist between TLDs and organization level domains, policy can only be published for the exact domain. No method is available for these domains to express policy or receive feedback reporting for sub-domains. This missing method allows for the abuse of non-existent organizational-level domains and prevents identification of domain abuse in email. This document specifies experimental updates to the DMARC and PSL algorithm cited above, in an attempt to mitigate this abuse. Looking at the second paragraph of section 1, I notice that despite all > the special terms for classifying domain names in section 2, the example > in this section does not describe which of the domain names that it > mentions fall into which of these classes. E.g. "tax.gov.example" is > said to be registered, but it looks like it is also the organizational > domain, and "gov.example" is its longest PSD. It would also help to > mention that "tax.gov.example" is "registered at" "gov.example" to > introduce the details of the usage "registered at". > > Suppose there exists a domain "tax.gov.example" (registered at > "gov.example") ... > Introduce a new Section 1.1: "Example" with this: As an example, imagine a country code TLD (ccTLD) which has public subdomains for government and commercial use (".gov.example" and ".com.example"). A PSL whose maintainer is aware of this country's domain structure would include entries for both of these in the PSL, indicating that they are PSDs below which registrations can occur. Suppose further that there exists a domain "tax.gov.example", registered within ".gov.example", that is responsible for taxation in this imagined country. However, by exploiting the typically unauthenticated nature of email, there are regular malicious campaigns to impersonate this organization that use similar-looking ("cousin") domains such as "t4x.gov.example". Such domains are not registered. Within the ".gov.example" public suffix, use of DMARC has been mandated, so "gov.example" publishes the following DMARC DNS record: [remainder of -09's page 3, the example, unchanged] Introduce a new Section 1.2: "Discussion" comprising the remainder of -09's Section 1. In the first paragraph, between "simple" and "extension", add "experimental". A suggestion for 2.4: NEW: The longest PSD is the Organizational Domain with one label removed. It names the immediate parent node of the Organizational Domain in the DNS namespace tree. -MSK
- [dmarc-ietf] Genart last call review of draft-iet… Dale Worley via Datatracker
- Re: [dmarc-ietf] Genart last call review of draft… Todd Herr
- Re: [dmarc-ietf] Genart last call review of draft… Murray S. Kucherawy
- Re: [dmarc-ietf] Genart last call review of draft… Kurt Andersen (b)
- Re: [dmarc-ietf] Genart last call review of draft… John Levine
- Re: [dmarc-ietf] Genart last call review of draft… Todd Herr
- Re: [dmarc-ietf] Genart last call review of draft… Scott Kitterman
- Re: [dmarc-ietf] Genart last call review of draft… Kurt Andersen (b)
- Re: [dmarc-ietf] Genart last call review of draft… Tim Wicinski
- Re: [dmarc-ietf] Genart last call review of draft… John Levine
- Re: [dmarc-ietf] Genart last call review of draft… John Levine
- Re: [dmarc-ietf] Genart last call review of draft… Tim Wicinski
- Re: [dmarc-ietf] Genart last call review of draft… Kurt Andersen (b)
- Re: [dmarc-ietf] Genart last call review of draft… John R Levine
- Re: [dmarc-ietf] Genart last call review of draft… Alessandro Vesely
- Re: [dmarc-ietf] Genart last call review of draft… worley
- Re: [dmarc-ietf] Genart last call review of draft… Scott Kitterman
- Re: [dmarc-ietf] Genart last call review of draft… Seth Blank
- Re: [dmarc-ietf] Genart last call review of draft… Murray S. Kucherawy
- Re: [dmarc-ietf] Genart last call review of draft… Murray S. Kucherawy
- Re: [dmarc-ietf] [Last-Call] Genart last call rev… Scott Kitterman
- Re: [dmarc-ietf] [Last-Call] Genart last call rev… John Levine
- Re: [dmarc-ietf] [Last-Call] Genart last call rev… Kurt Andersen (b)
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… worley
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Tim Wicinski
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Alessandro Vesely
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… worley
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Alessandro Vesely
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Douglas Foster
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Douglas Foster
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Douglas Foster
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Tim Wicinski
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Tim Wicinski
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Tim Wicinski
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Tim Wicinski
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Kurt Andersen (b)
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Kurt Andersen (b)
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Tim Wicinski
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Tim Wicinski
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Alessandro Vesely
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Tim Wicinski
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Kurt Andersen (b)
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Alessandro Vesely
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Alessandro Vesely
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… Murray S. Kucherawy
- Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart las… worley