Re: [dmarc-ietf] Third party signatures

Alessandro Vesely <vesely@tana.it> Tue, 16 May 2023 07:37 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 890EAC151717 for <dmarc@ietfa.amsl.com>; Tue, 16 May 2023 00:37:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="IM0oayEy"; dkim=pass (1152-bit key) header.d=tana.it header.b="C9B8ye5r"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v2fcHydzO172 for <dmarc@ietfa.amsl.com>; Tue, 16 May 2023 00:37:29 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D543CC151707 for <dmarc@ietf.org>; Tue, 16 May 2023 00:37:27 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1684222645; bh=ehUMfa2BHbfgLiCf3J+bqNGwDJ/ebHP1imCwVTCnaj4=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=IM0oayEyIQmmDXwmfpyDf68OI3ADoKqmy2F4Ub//NZwtUhfQRA17ANxM7Ac8rRfec IuRtWHqkPROeqqTaJCVCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1684222645; bh=ehUMfa2BHbfgLiCf3J+bqNGwDJ/ebHP1imCwVTCnaj4=; h=Date:Subject:To:References:From:In-Reply-To; b=C9B8ye5r1KnmjhtDp3tRK7MFcZL9Lp19Zg7m2Jpt7B6wMW1I/hOCvY7J/3ia6fYVR M+G7P06kvu4i2h0HSO797VTEEupHSV+SOsREggikMdvOeD1I/lUJCa+3t+uL2Lzql4 Ozrs8BpjSBeIENUuVZXIdE7h4fpz7dLhUf+ALyDVYQq3/YoMBXq8AzoSEB4s9
Original-Subject: Re: [dmarc-ietf] Third party signatures
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0F6.00000000646332B5.000013F9; Tue, 16 May 2023 09:37:25 +0200
Message-ID: <cfc239a8-ace9-d4c3-5f60-ee0de02b522c@tana.it>
Date: Tue, 16 May 2023 09:37:24 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <CAL0qLwa9DoTCVCOOgrB1NySd2-aE-5wVSGsLNh=8k7xwDLgrTw@mail.gmail.com> <20230502170640.E2095CAA204B@ary.qy> <CAL0qLwYQLmJiG9wjyim42xPiQvXZxNxoV0j2HtxZeAV1bAWz=g@mail.gmail.com> <CAAFsWK1fcsdse9EVKaeEerV14Zx0imuM2yAZLxGPzZUEZRvvjQ@mail.gmail.com> <710950a7-3d6b-cc12-0529-89f17dd640bc@taugh.com> <CAAFsWK21NSoPhmmiX_aKzYWsfdEYVSVY1QiX8p9r8rXUGdHzQg@mail.gmail.com> <6462EB35.5040600@isdg.net>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <6462EB35.5040600@isdg.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/MpMr7i-TVyYot_2_7j70Ygl6VUw>
Subject: Re: [dmarc-ietf] Third party signatures
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2023 07:37:35 -0000

On Tue 16/May/2023 04:32:21 +0200 Hector Santos wrote:
> I find it technically unfeasible and non-logical to support a high overhead, 
> complex ARC concept that has no promise of any solution for a DKIM Policy model 
> we have been seeking since 2005.


The concept evolved from the need to export Authentication-Results:.  The 
outcome is just a little more complex than DKIM.  Technical feasibility is 
proven by implementations.  I, for one, implemented it on top of DKIM without 
having to go through hoops.


> What are we solving in the first place with ARC?


IMHO, besides collecting A-Rs at various steps, ARC brings the ability to 
gather a chain of authentications.  Compared to an unordered set of DKIM 
signatures, ARC delivers a neat verification already at the (low) algorithmic 
level.

You have to implement it to appreciate it fully.


> In my technical view, it has been the PORT 25 unsolicited 3rd party signature 
> unauthorized by the author domain due to the dearth of scaled AUTHOR::SIGNER 
> Authorization methods.   ARC is not resolving this problem. The overhead is 
> horrendous.


Like DKIM, ARC tells you nothing if you don't trust the signers.


Best
Ale
--