IETF Logo Mail Archive

Re: [dmarc-ietf] Two basic Issues to address to help complete DMARCbis

Dotzero <dotzero@gmail.com> Sun, 23 April 2023 20:17 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 122E5C151719 for <dmarc@ietfa.amsl.com>; Sun, 23 Apr 2023 13:17:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U32G938Uq64i for <dmarc@ietfa.amsl.com>; Sun, 23 Apr 2023 13:17:46 -0700 (PDT)
Received: from mail-ua1-x92a.google.com (mail-ua1-x92a.google.com [IPv6:2607:f8b0:4864:20::92a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 294ABC151710 for <dmarc@ietf.org>; Sun, 23 Apr 2023 13:17:44 -0700 (PDT)
Received: by mail-ua1-x92a.google.com with SMTP id a1e0cc1a2514c-771d9ec5aa5so15936074241.0 for <dmarc@ietf.org>; Sun, 23 Apr 2023 13:17:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682281063; x=1684873063; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lh5j+uTWDnOoOB5OeACNdvAYQ6zPI5ZrkC5v5kZtXOo=; b=GFjL0CePHmuolrw7K2NJN+Dh48eeaANY+kXkzbESKJP9uScx3Uodypi2GLHAppS6L/ YXLZ685Y5DvhoLp0Fc5X87GNNdRKvsno5IiyTsAsja090w2RgGnNyt/55GkfFBnbax59 6RS40rXpBvU4HxMLT09QEakF4KDUO2Lr921xa0bFTJV9wmYbj5B7acxldGjYrwXJsgWd rVl3hzF/heJASa4/bgTJPLgXGmxDNPEM2al8THYP7g32gQIgG9+X5q6rE+XOHJrDt0V9 h4xsjsyMDNTYQ3jIgQroUkHcaYmvtdMGDU+O60N/cufwJBpZe2LAnBYCjYMQU2LpLdpl ckjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682281063; x=1684873063; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lh5j+uTWDnOoOB5OeACNdvAYQ6zPI5ZrkC5v5kZtXOo=; b=h3S10mzlXIlQWFvMtg2oWFadY/foMLBjSAbq5gLiWIfwFcvWstNO0TdGIzRe11P2ZM Qlt3gcddWCucY4mh3ghNf/ObzyRPiBORDhIXoo785JFqSKCUnddnWO8rtor6pDvNox4l L9xD3k2TNxIUMEOKTjkGMaBhuT4LcS+J7QaDppSm2IOsU0+TifnEOPdtSQkWG2jUG1zV jEhYHShrCu3SvphSiMlQ0b13cPL6lwd5Y2heEw0EE52uMC9Hdo1aRWirfmF0SGfTv0PG b+7j3xWXM3gLGSgPOpvLrudDB4y9QFZl5ozf4Vu8ZE9XkeqtiT4MeFRrdYSRSor5dvw0 2P1g==
X-Gm-Message-State: AAQBX9cSnphxRh2o/XZEaz9fyTj8nIQeljU1wJvEsn+5/iZ9daPgmzZj bmqxNZIJz+rnMlkPz654Mc6i3yd43aLy3I8nnlyqmARW
X-Google-Smtp-Source: AKy350ZlGeaRAIqa2JRFVMELlUX2X3zbyJLSppuwM/d9nquXLMPs1su54bbx4/ABqTrFg6BFYMZbcHXAwT3mnPDptnY=
X-Received: by 2002:a67:c190:0:b0:42e:4383:783d with SMTP id h16-20020a67c190000000b0042e4383783dmr5309083vsj.3.1682281062926; Sun, 23 Apr 2023 13:17:42 -0700 (PDT)
MIME-Version: 1.0
References: <0abf9711-ca1c-bfcf-afb2-15e16b9de149@tana.it> <20230420153727.DB568C106CE9@ary.qy> <CAJ4XoYeyoOYeXW1QN+yeMbxt4SF7Kn2Xi=FP7VmX4MhKiDi9hQ@mail.gmail.com> <C3D9E708-EDC7-43BC-AE5E-DF4FFAECCC2B@kitterman.com> <7e2ae4c0-6ebf-4539-55b9-e5d85765a024@tana.it> <185759A8-10CD-40F8-89C8-FE774B077F52@kitterman.com> <a31a3a91-1fe1-40b0-ae4c-0e76520e722c@tana.it> <644568C6.4000407@isdg.net>
In-Reply-To: <644568C6.4000407@isdg.net>
From: Dotzero <dotzero@gmail.com>
Date: Sun, 23 Apr 2023 16:17:31 -0400
Message-ID: <CAJ4XoYdFxA8hvCQRHargBay471UcNCyMC=ff2LoxB=rKxShTog@mail.gmail.com>
To: hsantos@isdg.net
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002b0f6105fa06958c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OlkcFXeEQEj_iv79kVOOZU3C9CM>
Subject: Re: [dmarc-ietf] Two basic Issues to address to help complete DMARCbis
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Apr 2023 20:17:47 -0000

On Sun, Apr 23, 2023 at 1:20 PM Hector Santos <hsantos=
40isdg.net@dmarc.ietf.org> wrote:

> On 4/23/2023 6:10 AM, Alessandro Vesely wrote:
> >
> > Meanwhile, digressions about ATPS and similar schemes can help
> > casting some light on future evolution.  From: rewriting cannot be
> > the final solution; it is a temporary hack.  Digressions don't slow
> > down the publication, as discussions about actual text quickly
> > prevail.  They are just a mean to help convergence toward a common
> > vision of the future.
>
> With each year, that "temporary hack" becomes the new normal and it
> will be harder to clean up. It is not the right way and I don't  its
> too late to reverse.  However, it has been 17 years and DMARCbis is
> not finished without some clean up in this area.
>

It HAS NOT been 17 years for either DMARC (first published in 2011  and
first submitted to IETF as informational in 2015) or DMARCbis. Let's at
least use publicly available data points for time frames rather than time
frames pulled out of thin air.

>
> First, Section 4.4.3 should have text on using extended tag methods to
> provide 3rd party authorization methods.  Just add the RFC 6541
> abstract or version of it:
>

No! Supporting and referencing an experimental specification which has
never gotten significant traction is the wrong way to go. If you believe
that ATPS is the right path then YOU should work to attract a wider range
of participants to use ATPS and then provide data back to IETF, whether
through an ATPS working group or a DKIM working group that is chartered to
undertake that work.

>
>      ATPS [RFC6541] is an experimental specification proposed which
> adds a extended tag "atps=" allowing
>      advertisement of third-party signature authorizations that are to
> be interpreted as equivalent to a signature
>      added by the administrative domain of the message's author. ATPS
> was designed for ADSP.  There is interest to
>      apply this tag to DMARC to help deal with unchecked but
> authorized resigners false positives.
>

You don't even need a working group at this point to validate that ATPS
works and that it can scale in a workable manner. It has not been shown
that ATPS scales with regard to adds and deletes of individual tags. As you
quite rightly point out, ATPS was designed for ADSP, not DMARC. I have no
problem if you and others wish to experiment but you should do your
experiment first and then seek agreement from the wider community before it
gets embedded in another specification. Why should ATPS be granted special
consideration vs other proposals out there? It shouldn't.

>
> Second, there are possible outcomes with members using restrictive
> domains:
>
> 1) Legacy MLS/MLM, unaware of protocol, unchanged author domain,
> submission mail integrity is broken due to long time practice of body
> and subject changes, can cause members of a list to be
> auto-unsubscribed when their receivers begin to honor p=reject and
> reject mail integrity DKIM failures.
>
> 2) Protocol Awareness, honoring the policy, constraining subscription
> and submissions to unsecured submissions.  Restrictive domains not
> acceptable for list submissions.  Note: It is possible to allow a
> Read-Only List Member concept.
>
> 3) Protocol Awareness, not honoring policy and tearing down the author
> security, replacing with unsecured distribution.
>
> The correct way for any protocol is to close security  loopholes. In
> this case, recommend #2 using Subscription and Submission controls.
> Let the author domain figure it out.  DMARCbis MUST recognize if the
> intent of the domain is to clean up their brand, by implementing hard
> failure rejects at both SPF and DMARC, then it should recommend
> handlers SHOULD honor the policy of the domain or be prepared for the
> possible false positives.
>
> I can understand why DMARCbis's editor does not want to document
> rewrite, but imto, can't be ignored anymore.   The details of a
> rewrite can be quickly outlined.  To help the RFC process, maybe
> DMARCbis could refer to the Functional Specifications of SSP (RFC5016)
> Section 5.3, Item 10 which basically reinforces the idea that local
> policy ALWAYS prevails and it is quite possible there will be
> undesirable tearing down of secured submissions.  One possible
> mitigation is to replaced it with a secured rewriter with a p=reject
> policy.
>

SSP is long gone and failed. Referencing something which failed to gain
support many years ago is also not a path to go down.


> I don't think the above will take long to do and I believe will help
> resolve the conflict.
>

It doesn't resolve the conflict. As I stated above, if you believe in ATPS
then you need to attract a wider range of participants for your experiment,
including sending domains, receiving domains and intermediaries (and not
just mailing lists). Repeating "this solves the problem" is not data.

Michael Hammer

v2.23.0 | Report a Bug | By Email