Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication
Hector Santos <hsantos@isdg.net> Mon, 10 June 2019 19:23 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D01A1200E9 for <dmarc@ietfa.amsl.com>; Mon, 10 Jun 2019 12:23:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=KoSLcw0l; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=QPNcN0v5
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zaRJz-pWaGBY for <dmarc@ietfa.amsl.com>; Mon, 10 Jun 2019 12:23:34 -0700 (PDT)
Received: from mail.winserver.com (pop3.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 5617312007A for <dmarc@ietf.org>; Mon, 10 Jun 2019 12:23:34 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1982; t=1560194607; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=V8VRgK0Cm/euUaDqxk5lRLX262Q=; b=KoSLcw0lAYb6crEvH4wjojtf4rRXyRGW5J6e7TTtp+TYBTjYJPcsg/DYq9k5zQ dCYOSeuprpi4oKXwLYtzR/znIwNU4WZABM1nvahNCgJzMoUz0QeG0XwBdUomFvq9 zjgjUAKJTxsH/CBv0PBXxq36uWVLIN9cS5+h5MnP+p/PI=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Mon, 10 Jun 2019 15:23:27 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 987047889.1.4508; Mon, 10 Jun 2019 15:23:26 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1982; t=1560194412; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=bJ4g3DX uFyS6jug/pnhCDIMPtT475Vb27OglYnJ1h7A=; b=QPNcN0v5A+yfRonk4C/NzT4 qt8dd3IgWlP7q+2PxgLgd9TS6KQD5wvWd6qly4OhwXTJeU58jQtOyE9neivt3EIl bjuM0X2yufX1DXLpGnRza+qjOIunsqmSMVUcj/bKoZjzfeleN5Kw3gN7iCZDwdeJ A07c2DRaX5pY+mcV8r/M=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Mon, 10 Jun 2019 15:20:12 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 2559267754.9.348464; Mon, 10 Jun 2019 15:20:11 -0400
Message-ID: <5CFEAE2E.90308@isdg.net>
Date: Mon, 10 Jun 2019 15:23:26 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <20190603142956.66B31120252@ietfa.amsl.com> <45cdc0da-5243-3a62-b217-8d5e4ea9ea11@dcrocker.net> <941abdbf28684283b972f69f25876220@bayviewphysicians.com> <5524dbb3-27ff-4aa8-aaf0-fc3a3fc23418@dcrocker.net> <1df2cc6b-c169-59ca-08f6-dadc06a702c6@tana.it>
In-Reply-To: <1df2cc6b-c169-59ca-08f6-dadc06a702c6@tana.it>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/NIFAhfyhqSZlhiptXjdhItPf_Vg>
Subject: Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 19:23:37 -0000
On 6/10/2019 4:17 AM, Alessandro Vesely wrote: > On Sat 08/Jun/2019 18:49:03 +0200 Dave Crocker wrote: > >> Except that most users don't actually see that address because these days most >> MUAs only display the display address. > > > We often came across this realization. Since DMARC hinges on that field, I > think the spec should include some advice to MUA implementation. > > A trust on first use (TOFU) approach would seem to be possible. On getting the > same display name linked to a different domain part, a user would be required > to configure the MUA's behavior for this particular name / domain. > > Does this subject deserve a ticket? > Don't you think we might repeat and come to the same conclusions regarding MUA considerations in this regard? The primary concern would be 5322.From "Display" spoofing with the theoretical Multiple 5322.From headers potential exploit. A 2010 proof of concept list message example was showed it was possible to contain a valid DKIM signature and with a spoofed From display from "President Obama:" http://mipassoc.org/pipermail/ietf-dkim/2010q4/014680.html This created a long threaded discussion, and if I recall, the topic was repeated a few years later where I believe we had a consensus this was a "RFC5322 Boundary Layer" issue where the MSA/MDA or the backend would be better at handling the RFC5322 "validity" of an inbound message. It would be a good idea for receivers to do RFC5322 checking anyway instead of "passing the buck" to the many different MUA vendors including the many legacy MUAs people still enjoy today. If any protocol guidance is necessary here, IMO, it would be to repeat the suggestion for RFC5322 validity/security checks SHOULD be done at the backend to better protect the MUA end users using different Offline, Online and Hybrids models of MUAs. An inbound message with multiple 5322.From headers SHOULD be invalided, rejected or discarded. -- HLS
- [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Seth Blank
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication John R. Levine
- Re: [dmarc-ietf] Mandatory Sender Authentication Hector Santos
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Dotzero
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- [dmarc-ietf] Display address, was Mandatory Sende… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Дилян Палаузов
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Stan Kalisch
- Re: [dmarc-ietf] Display address, was Mandatory S… Dotzero
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Kurt Andersen (b)
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely