IETF Logo Mail Archive

Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

"Kurt Andersen (b)" <kboth@drkurt.com> Sat, 12 August 2017 00:16 UTC

Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2AB71324A2 for <dmarc@ietfa.amsl.com>; Fri, 11 Aug 2017 17:16:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6LRwuRHR_Pr7 for <dmarc@ietfa.amsl.com>; Fri, 11 Aug 2017 17:16:27 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12EE91324A7 for <dmarc@ietf.org>; Fri, 11 Aug 2017 17:16:27 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id m85so2749406wma.0 for <dmarc@ietf.org>; Fri, 11 Aug 2017 17:16:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=6lhE17tElZ4vjUzweXnCID5W7f3Q7THlUpoEZ4J/bYM=; b=c9cTr80T4fMhnjyoA/te4jwls5gQXREEbqKCrPzqPtGHhKD1vS70eQfgVyknEuTadp +Ij4g4y0cQcGq1Osbv3RJ27QkammeJ0YBy9aZgKVjVkhWpAtIgaNIQ7kPtJNuV3iV88b HkOx051WNH76EHaNlX2gVS2n0nvNVch9ZIIQg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=6lhE17tElZ4vjUzweXnCID5W7f3Q7THlUpoEZ4J/bYM=; b=Cx0sci9BUrkzs9w0B5C9+5lzA2zKVI+CxoBABVDyX/+a8m+WJess82p1rW5wzzlOSF LeB+kG24wBLTme6/BoxmeVSzvfVLa1Cm0iYlzHbs+zrCoSKJFvu23HzLooeXjwhSe2Ob TrhpwuC/HiSwHywEtWJSHhqq+7PmrcT+V3X11xKcEuXk4FTXziqHmpeYJt+O5DyUZISe b0v47DyxNhUwSZKe4YQiiy+TOB1uZo3dAYiM6TDt/XHGRJtxpLFSybx5jIv2sJdiSbVU lWg2qYxYS9P1sNAW28yZJjgGzLiz1XuOiXofHJpnFJNdhXDY7zRZCHk+zf0dNnAyMUZa 7Cvw==
X-Gm-Message-State: AHYfb5jiINiH2gDhZG7iZea5SClFIHUTETArUCikQgjc6UDNW8mkBVgW NgplmCA8dDTCJWnhIhz5tLoiAn+Z5ZHmc7ALGQ==
X-Received: by 10.80.166.133 with SMTP id e5mr17046481edc.71.1502496985523; Fri, 11 Aug 2017 17:16:25 -0700 (PDT)
MIME-Version: 1.0
Sender: kurta@drkurt.com
Received: by 10.80.178.229 with HTTP; Fri, 11 Aug 2017 17:16:24 -0700 (PDT)
In-Reply-To: <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com>
From: "Kurt Andersen (b)" <kboth@drkurt.com>
Date: Fri, 11 Aug 2017 17:16:24 -0700
X-Google-Sender-Auth: 5kApih6ovpD4CUJpA9ohh792FGc
Message-ID: <CABuGu1qK6w4XwdG1krsn69kbX-fE=e26KpHRK3wXjsLgf6H8=g@mail.gmail.com>
To: Bron Gondwana <brong@fastmailteam.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0dd11e193afd05568357ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/O-7bJ2IwFCtpddwfunVc3ZNQi-U>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Aug 2017 00:16:29 -0000

On Fri, Aug 11, 2017 at 4:54 PM, Bron Gondwana <brong@fastmailteam.com>
wrote:

> . . . it's a bad idea to sign if you're not modifying, because then
> everybody has to trust you or their chain breaks, even though you didn't do
> anything which required signing.
>

<elided>

>
> In state #1, you don't need a chain of ARC Seal.  You just need each site
> to sign their own AAR and each AAR to include "arc=pass" for the previous
> AMS.  You trust the sites, so you trust them to verify the ARC status on
> ingress.
>

In the current layout, "signing [the] AAR" is done via the AS. We wanted to
keep the AAR as close to the A-R header as we could to maximize leverage of
previous definitions rather than inventing an entirely new one. Initially,
we had intended the AMS to sign over the AAR, but people objected to
signing the AAR within both the AMS and AS scopes.

<elided>

>
> And this is the crux of our disagreement.  Seth thinks it's necessary to
> do more than signing a statement that you believed the message was
> authenticated when you got it, in a way that the next hop can verify your
> signature over your own Authentication Results plus the content of the
> message.  I disagree.
>

 One could replace the AMS with an "egress DKIM" signature, but then you
would still have to decide what to do about alignment on this new DKIM
signature. That's why we built the AMS - to avoid the question of alignment
and have the ARCset as a self-contained "package".

I see the point that you are driving at regarding the claim of "forgery",
but I don't consider that any more or less of a forgery than what the IETF
mailman will do to this message en route to the recipients. Mailman changes
the headers (Subject) and body. Seems like that's about what you've done in
the sample message...but at least you took responsibility for doing so with
ARCset[7] (or someone with the private key for brong.net ;-) ).

--Kurt

v2.23.0 | Report a Bug | By Email