Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
Dave Crocker <dhc@dcrocker.net> Fri, 31 May 2019 13:40 UTC
Return-Path: <dhc@dcrocker.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3C0E12009C for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 06:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dcrocker.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jH-q8zDGXdxo for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 06:40:05 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53828120075 for <dmarc@ietf.org>; Fri, 31 May 2019 06:40:05 -0700 (PDT)
Received: from [192.168.0.125] (178-164-174-220.pool.digikabel.hu [178.164.174.220]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x4VDg7r4016373 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 31 May 2019 06:42:08 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1559310130; bh=BSXc/BKrEPmUpq+yu3Vd1ZAoQxW+yZZythWlzsWd2rY=; h=Subject:To:Cc:References:From:Reply-To:Date:In-Reply-To:From; b=Ubr5EX3hRtbL+egImXmEOI2hm8HXs/257OHWNTZYgR+oYF1an4OszQ36nCmqQ3rs/ BohY6sFvd4DRtF4KG7Dq8DKeeG+B7BTScOBv5zPyUUX2xL7KbG86DvAS6y33TYph+I O1ewBBoRb6RmBGSXyBONpiXNJaoueu3oX3+D3GcQ=
To: fosterd@bayviewphysicians.com
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> <20190526144848.08A772014A0BF4@ary.qy> <CAL0qLwbxwLTpgYJN9qBTzi2oN1EMvAYuNoDbw5Rx5W46-WNyLA@mail.gmail.com> <alpine.OSX.2.21.9999.1905301712140.76792@ary.qy> <c559a331d90b49eba5b5f6e35ff4774a@bayviewphysicians.com> <1931a4e4-7112-56ae-24e6-b138466392b4@dcrocker.net> <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
From: Dave Crocker <dhc@dcrocker.net>
Reply-To: dcrocker@bbiw.net
Message-ID: <fdeadc6e-3dd7-8a07-dfcb-35b048c6b4e4@dcrocker.net>
Date: Fri, 31 May 2019 15:39:54 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/MVHWtjYn4VmRx8d3aidCjk-aWvM>
Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 13:40:07 -0000
On 5/31/2019 3:59 AM, Douglas E. Foster wrote: > Agency and signatures are well understood legal concepts. 3000 years The signature at issue here is done with DKIM. Are you sure you are clear about the what the agency is it vets and what the scope of use for that vetting is? I suspect you are assuming a different type and scope of authentication than DKIM is intended to perform. It's not that your goal is unreasonable -- and indeed, s/mime and openpgp seeks to perform it -- it's that DKIM wasn't designed to do that. DKIM was designed for use during tranfer to the point of delivery. For this discussion, that means to the list processor (mailbox) > ago, people sealed their letters with a signet ring stamped in warm > clay. Signing technologies have changed in that time, but the > principle has not. A courier is responsible for keeping the signed and Please note my earlier point about delivery and re-posting. That implies a role for list processing that is considerably more than a courier's. > sealed part of a message unaltered. Envelope marks are acceptable. > A digital signature is supposed to provide non-repudiation. If I submit DKIM is a transfer-level signature. That is, really, MTA-MTA (or, really, MTA-MDA). A list processor is an MUA-level actor. (cf, RFC 5598.) > There are some obvious use-cases for MTA changes to a message, and we > would do well to document and address them. Perhaps, but that's not at issue here. > The first that comes to mind is MTA comment fields. Huh? > - A spam filter wants to add a tag indicating that the message is > suspicious, but not sufficiently suspicious to be blocked. > IETF would do well to specify a mechanism for MTAs to add information > which MUAs present to the user, while identifiying that that the > information came from the MTA rather than the original sender. You mean like adding a header field, outside of the ones signed by DKIM? That's already permitted. It's one of the reasons that the signer gets to decide what header fields to cover. However, it looks as if you think presenting such information to users will be useful. It won't. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- [dmarc-ietf] Debugging and preventing DKIM failur… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Дилян Палаузов
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Murray S. Kucherawy
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dotzero
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Doug Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Elizabeth Zwicky
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Stan Kalisch