IETF Logo Mail Archive

Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion

Dave Crocker <dhc@dcrocker.net> Fri, 31 May 2019 13:40 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3C0E12009C for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 06:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dcrocker.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jH-q8zDGXdxo for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 06:40:05 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53828120075 for <dmarc@ietf.org>; Fri, 31 May 2019 06:40:05 -0700 (PDT)
Received: from [192.168.0.125] (178-164-174-220.pool.digikabel.hu [178.164.174.220]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x4VDg7r4016373 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 31 May 2019 06:42:08 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1559310130; bh=BSXc/BKrEPmUpq+yu3Vd1ZAoQxW+yZZythWlzsWd2rY=; h=Subject:To:Cc:References:From:Reply-To:Date:In-Reply-To:From; b=Ubr5EX3hRtbL+egImXmEOI2hm8HXs/257OHWNTZYgR+oYF1an4OszQ36nCmqQ3rs/ BohY6sFvd4DRtF4KG7Dq8DKeeG+B7BTScOBv5zPyUUX2xL7KbG86DvAS6y33TYph+I O1ewBBoRb6RmBGSXyBONpiXNJaoueu3oX3+D3GcQ=
To: fosterd@bayviewphysicians.com
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> <20190526144848.08A772014A0BF4@ary.qy> <CAL0qLwbxwLTpgYJN9qBTzi2oN1EMvAYuNoDbw5Rx5W46-WNyLA@mail.gmail.com> <alpine.OSX.2.21.9999.1905301712140.76792@ary.qy> <c559a331d90b49eba5b5f6e35ff4774a@bayviewphysicians.com> <1931a4e4-7112-56ae-24e6-b138466392b4@dcrocker.net> <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
From: Dave Crocker <dhc@dcrocker.net>
Reply-To: dcrocker@bbiw.net
Message-ID: <fdeadc6e-3dd7-8a07-dfcb-35b048c6b4e4@dcrocker.net>
Date: Fri, 31 May 2019 15:39:54 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/MVHWtjYn4VmRx8d3aidCjk-aWvM>
Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 13:40:07 -0000

On 5/31/2019 3:59 AM, Douglas E. Foster wrote:
> Agency and signatures are well understood legal concepts.   3000 years 

The signature at issue here is done with DKIM.

Are you sure you are clear about the what the agency is it vets and what 
the scope of use for that vetting is?  I suspect you are assuming a 
different type and scope of authentication than DKIM is intended to 
perform.  It's not that your goal is unreasonable -- and indeed, s/mime 
and openpgp seeks to perform it -- it's that DKIM wasn't designed to do 
that.  DKIM was designed for use during tranfer to the point of 
delivery.  For this discussion, that means to the list processor (mailbox)


> ago, people sealed their letters with a signet ring stamped in warm 
> clay.   Signing technologies have changed in that time, but the 
> principle has not.   A courier is responsible for keeping the signed and 

Please note my earlier point about delivery and re-posting.  That 
implies a role for list processing that is considerably more than a 
courier's.


> sealed part of a message unaltered.   Envelope marks are acceptable.
> A digital signature is supposed to provide non-repudiation.  If I submit 

DKIM is a transfer-level signature.  That is, really, MTA-MTA (or, 
really, MTA-MDA).

A list processor is an MUA-level actor.  (cf, RFC 5598.)


> There are some obvious use-cases for MTA changes to a message, and we 
> would do well to document and address them.

Perhaps, but that's not at issue here.


> The first that comes to mind is MTA comment fields.

Huh?


> - A spam filter wants to add a tag indicating that the message is 
> suspicious, but not sufficiently suspicious to be blocked.
> IETF would do well to specify a mechanism for MTAs to add information 
> which MUAs present to the user, while identifiying that that the 
> information came from the MTA rather than the original sender.

You mean like adding a header field, outside of the ones signed by DKIM?

That's already permitted.  It's one of the reasons that the signer gets 
to decide what header fields to cover.

However, it looks as if you think presenting such information to users 
will be useful.  It won't.


d/
-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email