IETF Logo Mail Archive

Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart last call review of draft-ietf-dmarc-psd-08

"Murray S. Kucherawy" <superuser@gmail.com> Tue, 19 January 2021 06:43 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7EF03A1224 for <dmarc@ietfa.amsl.com>; Mon, 18 Jan 2021 22:43:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3e2ZWPSTOdDl for <dmarc@ietfa.amsl.com>; Mon, 18 Jan 2021 22:43:16 -0800 (PST)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5B43A1221 for <dmarc@ietf.org>; Mon, 18 Jan 2021 22:43:16 -0800 (PST)
Received: by mail-vs1-xe32.google.com with SMTP id 186so8068706vsz.13 for <dmarc@ietf.org>; Mon, 18 Jan 2021 22:43:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mVNIhQlmD5spJMMzE6+T8aVKVxA++qW73OY3AtFlrvQ=; b=Eqj47BpWbhdXaXEOTlSIFdwAivLkiMIBQS5EM7ukCK5k6f2ufUJkpRJGFHIkDiG/y0 JB0/rARWE77ImjOc460hCs8+sXp+DQsg80/FJMrBIBb4Sk9oRTdDFCF7gw3d0Ucn/nBF grirjGslo4UqXdYkp9myShHdJJEUen2L/BH+lvOj//IL9HANUGccVwc8cDdk+VbwkWVc q3w6gEYFcZgTKAY/0On2INHWzUWZeQnlJD2O7q05St5/nxF6ODLMUUmo+kjSa1z8YPp1 o9vpf4ItHkR5Axf2Cv7Bk3T/91JJ8K/hVLP8HAivfy4PMF+SEbATH9ghuB/FnZb4eZ0/ 7r4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mVNIhQlmD5spJMMzE6+T8aVKVxA++qW73OY3AtFlrvQ=; b=NuDlc7KjULceC9wgIztMRE1bh60vSX2f4cYX574+Yv/XXPUQ8qXkf0Ub1LUfEENi+Q gUVDBGGBJeMysTd07uzdqOOBLmj8YjlNPUgmOQJAv/InlK/czJU0cyyMMTYNs6Q7/qH3 h1twtvdRPWAVEpm+Fhn2d7lYXplNz/JtXcAtmzG2ffbI7GbSL3hfIXyXVnFeAFaDua8q zqOVFkBRmdrpDc+muIX9bjOSHrZ1nYP+6h74HozqzF+pmi5865+15IekaWPrGXH1Jge4 X5DRIe5GwjtVl5bfZVMum3o69luZm4SAMI9Wg7ybHGtclPQZNoidbU9e2KBeFkin+BFP ypVg==
X-Gm-Message-State: AOAM531REeo7QFtiMjZikCNTt8W6NsKVgK3ONnRy3C1uXdct/ZVQ2MUy aaLDcEwRrVsKj2DfmjUIga/NcYPPNaZIUBSFi9xoI5rbibTP0Q==
X-Google-Smtp-Source: ABdhPJyCfL8tfAswplgfl+dXb0kJM2SY/mmvuDMqtf7Zge4BAKTjLd0Vmnf2wB0xg7U3Uym8i42njMA8tVXnHNKUHr8=
X-Received: by 2002:a67:2bc2:: with SMTP id r185mr1672284vsr.15.1611038594798; Mon, 18 Jan 2021 22:43:14 -0800 (PST)
MIME-Version: 1.0
References: <CADyWQ+Fb93SkiAnL4cuCfxC5Wi1ERLeKhguWqAp3j8YEa6JBSA@mail.gmail.com> <87ima4wu3s.fsf@hobgoblin.ariadne.com>
In-Reply-To: <87ima4wu3s.fsf@hobgoblin.ariadne.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Mon, 18 Jan 2021 22:43:01 -0800
Message-ID: <CAL0qLwbiOrgsEjZU_V6W8e42SRNoUh7CzyngRMR5RLeQpzrxaQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Cc: "Dale R. Worley" <worley@ariadne.com>
Content-Type: multipart/alternative; boundary="0000000000002997c905b93b27cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/M-0go6seaV_DDLXXPGySzqHLzdA>
Subject: Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart last call review of draft-ietf-dmarc-psd-08
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2021 06:43:19 -0000

In the interests of getting this document on its way, I'd like to suggest
the following edits in response to Dale's most recent message.  If the
working group concurs, we can finally get this out to Last Call.

My goal as an AD here is just to get the GenART feedback addressed, but the
text is being submitted as a WG contribution for discussion and consensus
consideration, not as a demand.   Please process accordingly; I believe the
agreement is to do another WGLC on the document before it goes on its way,
so the sooner consensus is reached on all of this, the sooner it goes.

First, a suggestion of my own that I think I saw elsewhere, but it's not in
Dale's reply: In several places there's a reference to "DMARC [RFC7489]".
That's appropriate the first time the reference is made, but I think after
that you can just say "DMARC" when referring to the protocol generally, or
to "RFC 7489" when you need to make a specific section or text reference.
They don't need to appear together everywhere.

I think Dave's original feedback has been addressed -- good stuff -- so
here are my suggestions around what's left:

On Mon, Nov 16, 2020 at 7:16 PM Dale R. Worley <worley@ariadne.com> wrote:

> My apologies for not tending to this promptly.
>
> In regard to the description of the experiments, the result criteria are
> rather subjective, but I don't see that as a problem.  It does seem to
> me that the title "PSD DMARC Privacy Concern Mitigation Experiment" is
> too narrow, as only the 3rd experiment seems to be about privacy
> issues.  A title as generic as "PSD DMARC Experiments" would be fine.
>

That's OK with me, or "DMARC PSD Experiments" or "DMARC PSD Experiment" if
we want to treat it all as one common thing.


> Although I note that even the -09 does not define "PSD", only "longest
> PSD", even though "PSD" is used in section 2.5.  I suspect that PSD is
> equal to "PSO Controlled Domain Name", though, or rather to some related
> set of them.  That needs to be cleaned up in some way.
>

PSD appears to be well defined in Section 2.2.

In section 3.5 and later there is the phrase "[this document] longest
> PSD".  I'm not sure, but I think this is supposed to be "longest PSD
> ([this document] section NN.NN)".
>

Agreed.

I believe that my strongest critique was that section 1 is difficult to
> understand if one does not already understand DMARC, and it does not
> seem that the section has been revised.  Re-reading it, I notice that it
> says "DMARC leverages public suffix lists to determine which domains are
> organizational domains."  Ignoring that I dislike this use of
> "leverage", a critical point is that it takes the existence of public
> suffix lists a priori -- indeed, this use of "leverage" generally means
> that the leveraged thing already exists and one is now extracting
> additional benefit from that.  Whereas I've never heard of public suffix
> lists and would naively expect that they are difficult to create and
> maintain.  It might be better to say "DMARC uses public suffix lists to
> determine which domains are organizational domains.  Public suffix lists
> are obtained/maintained/distributed by ..."
>

Replace all of Section 1 with this (ignore funny line wrapping):

   DMARC [RFC7489 <https://tools.ietf.org/html/rfc7489>] provides a
mechanism for publishing organizational
   policy information to email receivers.  DMARC allows policy to be
   specified for both individual domains and for organizational domains
   and their sub-domains within a single organization.

   To determine the organizational domain for a message under evaluation,
   and thus where to look for a policy statement, DMARC makes use of a
Public Suffix List.
   The process for doing this can be found in Section 3.2 of the DMARC
specification.

   DMARC as specified presumes that domain names present in a PSL are not
   organizational domains and thus not subject to DMARC processing; domains
   are either organizational domains, sub-domains of organizational
   domains, or listed on a PSL.  For domains listed in a
   PSL, i.e., TLDs and domains that exist between TLDs and
   organization level domains, policy can only be published for the
   exact domain.  No method is available for these domains to express
   policy or receive feedback reporting for sub-domains.  This missing
   method allows for the abuse of non-existent organizational-level
   domains and prevents identification of domain abuse in email.

   This document specifies experimental updates to the DMARC and PSL
algorithm cited
   above, in an attempt to mitigate this abuse.


Looking at the second paragraph of section 1, I notice that despite all
> the special terms for classifying domain names in section 2, the example
> in this section does not describe which of the domain names that it
> mentions fall into which of these classes.  E.g. "tax.gov.example" is
> said to be registered, but it looks like it is also the organizational
> domain, and "gov.example" is its longest PSD.  It would also help to
> mention that "tax.gov.example" is "registered at" "gov.example" to
> introduce the details of the usage "registered at".
>
>     Suppose there exists a domain "tax.gov.example" (registered at
>     "gov.example") ...
>

Introduce a new Section 1.1: "Example" with this:

   As an example, imagine a country code TLD (ccTLD) which has public
   subdomains for government and commercial use (".gov.example" and
   ".com.example").  A PSL whose maintainer is aware of this country's
domain structure
   would include entries for both of these in the PSL, indicating that they are
   PSDs below which registrations can occur.  Suppose further that
there exists a domain
   "tax.gov.example", registered within ".gov.example", that is
   responsible for taxation in this imagined
   country.

   However, by exploiting the typically unauthenticated nature
   of email, there are regular malicious campaigns to impersonate this
   organization that use similar-looking ("cousin") domains such as
   "t4x.gov.example".  Such domains are not registered.

   Within the
   ".gov.example" public suffix, use of DMARC has been mandated, so
   "gov.example" publishes the following DMARC DNS record:

   [remainder of -09's page 3, the example, unchanged]
Introduce a new Section 1.2: "Discussion" comprising the remainder of
-09's Section 1.  In the first paragraph, between "simple" and
"extension", add "experimental".

A suggestion for 2.4:

NEW:

The longest PSD is the Organizational Domain with one label removed.
It names the immediate parent node of the Organizational Domain in the
DNS namespace tree.

-MSK

v2.23.0 | Report a Bug | By Email