IETF Logo Mail Archive

Re: [dmarc-ietf] Next steps for RFC 7489 (DMARC)

Hector Santos <hsantos@isdg.net> Mon, 30 March 2015 08:46 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5944B1A9244 for <dmarc@ietfa.amsl.com>; Mon, 30 Mar 2015 01:46:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.302
X-Spam-Level:
X-Spam-Status: No, score=-99.302 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6MgrYkadN0VE for <dmarc@ietfa.amsl.com>; Mon, 30 Mar 2015 01:46:16 -0700 (PDT)
Received: from ntbbs.winserver.com (news.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id BC16A1ACD05 for <dmarc@ietf.org>; Mon, 30 Mar 2015 01:46:15 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=6406; t=1427705165; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=IH7fdhw9nvmoXA9jsuD0hzCos4Q=; b=LFsGTY3G75ralh5d9WJx RxN3KCuG9nGyk+w1GKB9GuliHU5jOFwcBwMGIknkN8oxCp6tDof3HbGimyKhchcq ljym2M+JSqeJGQlc3n/pVQC/tVFGM0rtRNhA3XsXY5pusGqrSJydjYHRgS3rYeWm Nl05kiB+mRPp8iMITpMaVe8=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for dmarc@ietf.org; Mon, 30 Mar 2015 03:46:05 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com; dmarc=fail author.d=isdg.net signer.d=beta.winserver.com (unauthorized signer);
Received: from hector.wildcatblog.com (opensite.winserver.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 1415194778.15001.5300; Mon, 30 Mar 2015 03:46:03 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=6406; t=1427704959; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=hfaf/cP k+uSsDo/pC+JmALMh3pgmos0rIIR80WbcfY8=; b=DayYpnLPT1O4FezRFGEUmWC kaVq7lqAWkHwr73cwIACik2v7LcNqISmkKgWSuP5qtiaxlqAFrENU2Pj5UosB6il Q2CR3LbrYvgXFU/4CKFMMRCaTczJtJ5WbX/CqdaxhAWKSaDk413jG2azjSVJKgkg 5s2vePlcdM43BN7urJR8=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for dmarc@ietf.org; Mon, 30 Mar 2015 04:42:39 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 7494785.9.12212; Mon, 30 Mar 2015 04:42:38 -0400
Message-ID: <55190D49.40608@isdg.net>
Date: Mon, 30 Mar 2015 04:46:01 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "Murray S. Kucherawy" <superuser@gmail.com>
References: <20150318200459.23F9B18020A@rfc-editor.org> <CAL0qLwZF2=0rDC=6bSW-koGYJN_Dpx6Otpfh_LDW59gUNY3adg@mail.gmail.com> <550CAFEE.8060706@dcrocker.net> <CAL0qLwbO4ZhpdawCG6OcYeijbRVC9sCu7za+6dVKqRBKj0n_+A@mail.gmail.com> <550D6A2D.7050500@gmail.com> <87vbhunw0v.fsf@uwakimon.sk.tsukuba.ac.jp> <550E10C5.1070509@dcrocker.net> <CAL0qLwaoxqa9f6m3+gG3tGuNG+=otQz8HbavgGVPE7z_6zpPrA@mail.gmail.com> <55100395.4060003@dcrocker.net> <30834.1427141274@vindemiatrix.encs.concordia.ca> <55107A81.6000702@dcrocker.net> <3262.1427212761@vindemiatrix.encs.concordia.ca> <6F28A207601345BBAF012FED7BE612EE@fgsr.local> <CE39F90A45FF0C49A1EA229FC9899B0525FDC496@USCLES544.agna.amgreetings.com> <B7F274B2A3B54CBC9C527223DB36F65D@fgsr.local> <55136A23.8080306@isdg.net> <CAL0qLwZp-_ahqo13KM9-XXJYcECj5H7cuK_QCjWDEYVj_6XEGA@mail.gmail.com> <201503262312.t2QNCDeF002084@shadrach.encs.concordia.ca> <87twx7j6yb.fsf@uwakimon.sk.tsukuba.ac.jp> <CAL0qLwbS2My9Xmr1pc3LoB1ksST1GkOKg479J6uBS-cWatOj8g@mail.gmail.com>
In-Reply-To: <CAL0qLwbS2My9Xmr1pc3LoB1ksST1GkOKg479J6uBS-cWatOj8g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/MAyg2rxQLZCrCDN8FqV3Yyk0vxM>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>, Michael Jack Assels <mjassels@encs.concordia.ca>
Subject: Re: [dmarc-ietf] Next steps for RFC 7489 (DMARC)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 08:46:20 -0000

Murray,

Thanks for your comments. The key difference today is that we have 
finally achieved the long term engineering considerations of:

   1) Getting domains to publish DNS policy records,
   2) Receivers performing the DNS policy record lookup,
   3) Receivers honoring the mail handling.

We did not have this with ADSP when ATPS was first introduced as an 
extended ADSP add-on.  ADSP, the DKIM WG proposed standard track item, 
was in conflict with what we reestablished today as "indirect mail 
flows" and the key cogs of the DKIM WG was focused on eliminating the 
Author Domain Identity (ADID) from the specification and making 3rd 
party Trust Signers (SDID) the key focus identity for DKIM evaluation. 
  ADSP was being abandoned and you help kill it by eventually 
replacing it with DMARC.

If you redid ATPS as an add-on DMARC, I suspect we will have a higher 
interest in its exploration.   The marketing and need would be much 
higher than before.  It will certainly push forward our own update 
efforts (Replaced ADSP with DMARC and I would like believe other mail 
product and EPS vendors, including MLS developers would also would 
update DMARC to support a new SDID (Signer Domain Identity) optional 
parameter in the DNS policy record lookup:

       DMARC = DKIM_POLICY_DMARC(ADID [,SDID])

We are already doing the lookup as a function of ADID. We established 
that. Thats the difference today than yesteryears.  Now we just 
proposing to make it flexible for the 3rd party signature condition 
when the ADID != SDID.

We also long established, which I believe all the trust advocates 
agreed, that resigners are good.  They are needed when the original 
authenticity is lost, i.e MLM.

Will the vendors support it?    Who knows? But the market is different 
today and that is all I am saying, you can't judge the lack of 
interest before because ADSP was being abandoned.   DMARC is not being 
abandoned.  It now needs to be completed with that 3rd party component.

I suggest a simple update of ATPS to anchor off DMARC and see if we 
will get the exploration.  You will get two immediate packages to 
support it.  Yours and mine.

If in the mean time, you come up with something better, great. I don't 
see it because it will always need to be verifiable with the 1st party 
again, but now we will be able to explore all the scalability issues. 
  I personally don't think the the non-ESP domains will need to worry 
about that.   Perhaps the biggest challenge for the larger ESP is how 
to best register the domains.   But thats an implementation issue, 
perhaps using a Web site with other business decisions such as free or 
fee-based.   Let the each market vendor decide that. In the mean time, 
we need the 3rd party Authorization extension for DMARC.

Thanks

--
HLS


On 3/27/2015 2:59 AM, Murray S. Kucherawy wrote:
> On Thu, Mar 26, 2015 at 11:22 PM, Stephen J. Turnbull
> <stephen@xemacs.org <mailto:stephen@xemacs.org>> wrote:
>
>     Murray's point is that "proof of illegitimacy" is probably a pipe
>     dream, as shown by past experience with "policy frameworks".[1]
>     Legitimacy, on the other hand, is fairly easy to prove, as DMARC shows
>     in daily use by financial institutions and in other transactional mail
>     flows.
>
>
> Put another way, you only really know something when DMARC, DKIM, SPF,
> etc. produce a passing result.  (Due credit to Dave for this
> observation.)  All of them have false negatives with respect to
> anything that's not a direct mail flow, so "fail" results don't tell
> you anything conclusive if you plan to accept any sort of mail that
> isn't direct.  What Hector characterizes as a watering down of SPF
> with the publication of RFC7208 was merely this fact put into text,
> even though it's been true since RFC4408.
>
>     Footnotes:
>     [1]  Hector is right that they haven't really been tried, but I don't
>     think the chance that they'll be tried in the future is high, because
>     the reasons they've been hard to implement in the past remain true.
>
>
> I agree.  And although Hector likes to ascribe considerable power and
> influence to me, I'm not the one standing in the way of their
> success.  I would happily embrace any such solution that stood a
> chance of working.  I, and others, simply ask some basic questions
> about scalability of such solutions, their complexity, and their
> ability to be "gamed", and then they never go anywhere because there
> simply aren't any good answers to those questions.  Thinking I might
> be wrong, and since the same people insist I am, I published RFC6541
> (ATPS) as an experimental draft to try to tackle the third-party
> problem, and made a free version of it available via open source.
> That was over three years ago.  There has been exactly one site (one
> person, rather) that tried it besides me and reported back about its
> effectiveness.  Though Doug will shortly claim that ATPS saw no uptake
> because it is "flawed", I also had a grand total of zero operators
> report that they were using it in any modified form or asking me to
> add this or that to it before they would deploy it to production.  It
> wasn't just an idea, it was a reality, but nobody came to play.
>
> Policy and third-party solutions haven't failed because of some cabal
> keeping them from seeing the light of day, unless by "cabal" you mean
> "group of people who agree that this won't work."
>
> These are hard problems, and the last thing any of us should want to
> do is foist yet another blob onto the global email infrastructure that
> has not been properly vetted.  If an idea doesn't stand up to scrutiny
> or gets no uptake, or can't even get consensus in a small working
> group, what prayer does it have for success on the greater Internet?
> I want to make things better, not worse.
>
> There are those among you that disagree, I know.  Does anyone have
> actual data (not theory, not passion, but data) that any of the policy
> or third-party solutions we've discussed before can work, work just
> about everywhere, and work at scale?  If the answer to that is "no"
> (or, as usual, silence), then I suggest this (still!) isn't a
> productive use of our precious time or energy.
>
> -MSK
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

-- 
HLS

v2.23.0 | Report a Bug | By Email