Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
Scott Kitterman <sklist@kitterman.com> Thu, 05 September 2019 05:16 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5747120088 for <dmarc@ietfa.amsl.com>; Wed, 4 Sep 2019 22:16:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=kx+FJ2TK; dkim=pass (2048-bit key) header.d=kitterman.com header.b=p5qcwki2
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7cj6T-tmISjZ for <dmarc@ietfa.amsl.com>; Wed, 4 Sep 2019 22:16:09 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87829120074 for <dmarc@ietf.org>; Wed, 4 Sep 2019 22:16:09 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 652A0F80650 for <dmarc@ietf.org>; Thu, 5 Sep 2019 01:15:38 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1567660538; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=BKruqmiaLEKXXaWrjY56Q3HRJ1ZgAZijjnolpdSKTIY=; b=kx+FJ2TKt6ULjiEHhh3+o5UD1rtVVKDec5lQyo5i4mmBKymASyyUIxOL q/61F4hZO1SDYnO730rYWV2r0qlcBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1567660538; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=BKruqmiaLEKXXaWrjY56Q3HRJ1ZgAZijjnolpdSKTIY=; b=p5qcwki2cGEEPewyvE19OiqS7+YSXl6umREXmBvAcoXb/8tnY5AZcQac Vwe4bw6+PP1H8Qq5pwMe5xseQrwoSH2/tlMwAFnvfqBT6liz6OwBzbnnJE Ooj1dErxjAXsq0udYyMkr13SLeYKsQfab7taUC7UmKy0XXPoG4AMg+9Gf3 8ghcMo2wTlH+mbEZ/tiZsjJCrcXGGrSjoZWsKc3NcF1RCV1cXgjShLrkCz vNyXV6iwMYThFAKFfZ1M/HgpsR1sZRwiUqIzYKKyksTIoVTdc1ipwQ6Z58 sUPzcvIXuiOh6K8RqIsex03AlpjGKn97JE5beTpjWzpcSHfZEyHygw==
Received: from l5580.localnet (unknown [IPv6:2600:380:761c:27e7:58aa:8c6d:f7f0:6280]) by interserver.kitterman.com (Postfix) with ESMTPSA id 03D05F80463 for <dmarc@ietf.org>; Thu, 5 Sep 2019 01:15:37 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Thu, 05 Sep 2019 01:15:35 -0400
Message-ID: <2922527.kgd3cNqxNO@l5580>
In-Reply-To: <51219bbd-3785-e6bb-414a-bd564b6c856d@gmail.com>
References: <728d7df1-d563-82f4-bfb3-a65a75fdd662@gmail.com> <CAL0qLwacbAT04tckpPcRcnOt=1QByOBeJ7uDf6rNK6NRwtxZYg@mail.gmail.com> <51219bbd-3785-e6bb-414a-bd564b6c856d@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/NG5qX8IjP7ZlMOXTCVP9hZuMgo0>
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2019 05:16:12 -0000
On Wednesday, September 4, 2019 9:28:41 AM EDT Dave Crocker wrote: > Murray, > > Thanks for the diligent reply. > > (As a matter of etiquette, I will again apologize for not having > submitted my concerns earlier. Partially, this was because my > assessment of the work did not gel until recently.) > > > Some responses: > > On 9/3/2019 8:57 AM, Murray S. Kucherawy wrote: > > From a higher level view, the experiment can be seen as the temporary > > > > construction of an augmented PSL (i.e., the actual PSL coupled with the > > queryable registry described in Appendix B), which DMARC then can > > consume to resolve the use cases that have appeared which now need to be > > addressed. The portion of the experiment comprising an augmentation to > > DMARC’s algorithm would therefore not be part of DMARC permanently. > > Then, if the experiment proves effective, that would become prima facie > > evidence that the PSL, augmented with this additional information, would > > enable DMARC to resolve those use cases. Such an augmented PSL would > > still conform to the desirable separation of functions to which you > > alluded. > This model of iterative design does not match my own sense of IETF work, > experimental or otherwise. > > Simply put, 'temporary' is an appealing but highly misleading construct, > in the form and scale of a standards body.[*] The closest reality comes > to matching that term is when the 'experiment' fails utterly and the > effort must completely restart. When work like this operates over a > period of years and at Internet scale, nothing is temporary. > > If an experiment succeeds, the specified work will have become > entrenched and there will be significant resistance to making major changes. > > With respect to the use of this work as a model for changes to the PSL, > unfortunately the spec is not written in a fashion to support that. > This really is a core concern, in my view: the work needs to have a > basic model that really is expected to be appropriate for the long term; > hence my suggestion to highly limit any changes to DMARC and, instead, > cast the bulk of the work as augmenting the PSL. > > That said, and as for getting changes to the PSL, based on my > interactions with that community, I think it unlikely. There does not > seem to be the interest or resources for such work. Strategically, > that's the biggest hurdle to overcome, IMO. > > > In addition, there are a few very large players in the space who are > > unfortunately reticent to declare publicly that they are interested in > > seeing this evolutionary experiment proceed. These include large email > > providers and operators of sizable TLDs in need of the capabilities > > pursued here. This provides some weight to the idea that this will not > > be simply a niche experiment. > > Good to hear. > > > Lastly, we note that the idea of “walk up one node” came from an email > > thread in December[1] wherein you suggested that approach, and which the > > PSD draft now follows. We are thus a little surprised by the assertion > > that it should not proceed at all. Was there some content of that thread > > that was not taken into account that would make it palatable? > > .. > > > [1] > > https://mailarchive.ietf.org/arch/msg/dmarc/pQpKag3acqIISxb-SOrJ3mHFayI > > Sigh. Yeah. Still again, sorry. Mostly this is a case of letting an > idea simmer for a while, to think about it more. My feeling is that the > idea does not adequately attend to the items 1 and 2 I listed in that note. > > Hence my current view that: > > 1. The change to DMARC should be limited to permitting the query for the > organization domain to be anywhere in the DNS tree, including a TLD. > Within DMARC this would not look like 'extra' mechanism. > > 2. The mechanism that processes that query should be cast strictly as a > PSL enhancement, independent of DMARC. I think some related, but distinct issues are conflated in your analysis. The core PSD check doesn't need a PSL change. The current PSL works fine. The sequence is: 1. Check at the From domain level. 2. If no record, check at the org level. 3. [New] if no record check one level above the org level (PSD). That's all doable with the current PSL. I don't think we want to force additional lookups between 1 and 2 for lower level domains. Currently for something like: a.b.c.d.org.example where only example is in the PSL the queries would be: 1. a.b.c.d.org.example 2 . org.example 3. example As I read your proposal we've have to add in queries for: b.c.d.org.example c.d.org.example d.org.example I don't think querying anywhere in the DNS treee is an improvement for scalability of DMARC. Adding the single additional PSD lookup works fine with the existing PSL. There are two reasons to go beyond this: 1. Since most PSDs won't publish DMARC records, as an efficiency, let's not do that third lookup unless we have to. 2. PSD DMARC without some constraints on the additional lookup automatically opts in all organizational domains that do not publish DMARC records, which has privacy implications. This is discussed in Section 4.1 of the draft. As it says at the start of Appendix B, the options proposed there are to mitigate the privacy risks described in Section 4.1. The related requirements discussion is in Appendix A, Section A.1. It is a beneficial side effect that they also reduce the need for DNS lookups and thus provide an efficiency enhancement. If we didn't care about privacy, this would be easy. That's the hard part that does not have a clear solution. One thing that is clear is that it's not the PSL. PSL is a collector of assertions from operators, so it fails to meet the attributes laid out in A.1. Scott K
- [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Hector Santos
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Chudow, Eric B CIV NSA DSAW (USA)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd John Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd John Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd John Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd John R Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Craig Schwartz
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Andrew Kennedy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Org domaines, not really Comment… John Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Craig Schwartz
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Chudow, Eric B CIV NSA DSAW (USA)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Hector Santos
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Alessandro Vesely
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Jane Moneypenny
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Jane Moneypenny