IETF Logo Mail Archive

Re: [dmarc-ietf] Next draft concerns

Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 13 June 2022 02:22 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5AAFC14F6E7 for <dmarc@ietfa.amsl.com>; Sun, 12 Jun 2022 19:22:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fd3q92zL5M1V for <dmarc@ietfa.amsl.com>; Sun, 12 Jun 2022 19:22:29 -0700 (PDT)
Received: from mail-oa1-x2d.google.com (mail-oa1-x2d.google.com [IPv6:2001:4860:4864:20::2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBD74C14F72C for <dmarc@ietf.org>; Sun, 12 Jun 2022 19:22:29 -0700 (PDT)
Received: by mail-oa1-x2d.google.com with SMTP id 586e51a60fabf-fe539f9afbso6746751fac.5 for <dmarc@ietf.org>; Sun, 12 Jun 2022 19:22:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=sEyMxGxSZ04/ZCuGNDirfo4KgP2glooghJiDmaXsROg=; b=H3AqZ5HRlNMnsDOvK9jY0fmU/DYzv4c1mIehNyEKqll1JJJlRcwTTuBmVDu6fZ+5IY 7FsGN/DoNWhWSphJ0vDKTli9160XFNX8AdWepx/r3esTt5CSZxIXhCPT+XJkcAEBVRED LBTySebbG77NQTnILVl3u9ooC+/FteLuuqByd9W/gBaZMJZ73VJhxgpIqb3VIC3hjMeE syWP/WOND/ilMNykwB+4/kBhCVKZ0SjE7NeEUktnw4HYfr1fA46Fppr91IfAMmizgMBm j0vBYBLPq9BpWNIUwsI+Aa0q3lh2UsOOukA0FRJXOZeiH/RZ2wReSeAVMUKplY+bjJmE bclQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=sEyMxGxSZ04/ZCuGNDirfo4KgP2glooghJiDmaXsROg=; b=p7pRRdi3USWGPftmOloh7CRJF9j9SUkpHpHaI2eWeTunZ11QUJzZZyHh02vqbpNBGC 2W31BpeoCOk0nZBzG/iHNApMjn6Cpx9SvLMNgycW5P41klGGk4CMowEQm4+pE89uw0ok sBhX6n9tF7oxzJpdXgTwGQ1y5njH19AT0XAgNjdgRix59GKKy9B6nc0/FjIqyUcokUTu V3Og/XJpxRv48GwqUzIMS6/X4bE4QaNKtN6pyIw1UvTm3L3z4u9RVpqM3fURleWkYnq3 Ec3YyrJApBO9Ihtb9vbuHuN0gyMQqb8OveqAwZazNgxVPAOs9Wdc9I04EBVTWQQqnBQo kWUw==
X-Gm-Message-State: AOAM530fnKK0hzqd+OGBMzMbtiOup1zpxmq6UYiUQFsf9C0KYD0FwP7u KEdI7zjbkT735rnUnNp41Wlby0Ji0VpUGS3t0EVVGJ4z
X-Google-Smtp-Source: ABdhPJw+vezJuT5Ts7kOZrJ7T1JqBCNO3tIguhFg5AxuzF1ZaUYcGNyYDhU7JZWNnmxTObgj6zzwm+pD0ofukI8PTT4=
X-Received: by 2002:a05:6870:42cc:b0:101:23db:82f9 with SMTP id z12-20020a05687042cc00b0010123db82f9mr3447801oah.58.1655086948932; Sun, 12 Jun 2022 19:22:28 -0700 (PDT)
MIME-Version: 1.0
References: <BL1PR12MB5753CEB436047B152714100FBFA49@BL1PR12MB5753.namprd12.prod.outlook.com> <20220609191051.F2709434C018@ary.qy> <BL1PR12MB57533941A9C6B481C75D9FFABFA79@BL1PR12MB5753.namprd12.prod.outlook.com> <CAH48Zfy7Jq_Xg9_Dx+o8JbaYAUNrQK52mn5GzC953mps67RG+Q@mail.gmail.com> <523E77F8-0ACE-4459-9F8A-A531D1734040@kitterman.com>
In-Reply-To: <523E77F8-0ACE-4459-9F8A-A531D1734040@kitterman.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sun, 12 Jun 2022 22:22:18 -0400
Message-ID: <CAH48Zfy-S1=7Mdo_Fe5jczp4+o2uL+jBTrf3KW+9OKWtZhUjkw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a9e1f105e14af5c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/PQMVSN9cZh1W9R8yjO3mp1D-nKY>
Subject: Re: [dmarc-ietf] Next draft concerns
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2022 02:22:30 -0000

Why am I unwilling to move on?

Because I want this document to succeed and actually reduce email-borne
attacks.

Because stifling of discussion does not lead to consensus.   It does,
however, drag out the process.   For those who do not want this process to
succeed, accumulated delay may be almost as good as a win.

Because I got on this "kick" after Michael Hammer asserted personal
knowledge of a successful attack based on sibling authentication.  I did
not discard his input simply because he was not at liberty to name names.

Because I reviewed the PSL, as you could have done, and gave you a list of
domains that were vulnerable to sibling authentication attacks based on
their current configuration.   I think you intended to beg each of them to
implement a PSD policy.   How is that effort going?

Because I manage an actual mail stream, and a destructive malware attack
won't mean a client organization is damaged or destroyed, it will mean my
organization is damaged or destroyed.    I have not forgotten that when
the group was asked for mailstream data, I think about usage of DKIM
sibling authentication, you said you had no access to a mailstream source.

Because I don't know your agenda.   I am here to voice the evaluator
perspective.   What interest group do you represent?

Because a good security policy does not defend against what has happened,
it defends against what could happen.

Because  a new idea like Tree Walk does not get adopted unless people
believe the pain of transition is less than the benefit, so it needs to be
"sold".    Currently, the tree walk risk seems greater than the PSL risk,
and you don't know how to sell past that objection.   Muzzling me will not
cause millions of system administrators to do something stupid simply
because you put it into print.

Because I have learned that repeating the same points is necessary to be
heard in this group.

That's why.



On Sun, Jun 12, 2022 at 4:38 PM Scott Kitterman <sklist@kitterman.com>
wrote:

> Doug,
>
> I believe I have asked you before to provide specific examples of current
> domains with records that will cause a problem if assessed via the DMARCbis
> approach.  If there's a real problem that needs solving, then surely there
> are examples of it.  If they're none, then how about moving on.
>
> I think you're misreading the thread.
>
> Let's have an example of a real domain, with a  real DMARC record, that
> would be negatively impacted by being assessed using the DMARCbis design. I
> haven't found any I think are problematic, but if you have, I'm all ears?
>
> Scott K
>
> On June 12, 2022 8:08:13 PM UTC, Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
> >Les' question has returned us to the problem of justifying the tree walk.
> > We need to document the problems with PSL, but we also need to
> demonstrate
> >that the tree walk solves those problems without creating others.
> >
> >In most cases, the tree walk and PSL will produce the same results,
> because
> >they will both find the top-most DMARC policy in a structure with neither
> a
> >private registrar nor a PSD policy.   So the justification is really
> >limited to those exceptions.
> >
> >We assume that most PSL errors will cause organization fragmentation,
> >because of identifying a private registry for XSS purposes which is not a
> >private registry for email purposes.    We also know that the current DNS
> >has no information about private registries, so if we apply the tree walk
> >to the current DNS, we may sometimes error by landing too high and causing
> >inappropriate organization consolidations.
> >
> >In the case that the tree walk stops lower than the PSL target, the most
> >secure solution is to believe the DNS policy.   This can only occur if the
> >policy has a DMARCbis token which explicitly says that a policy has the
> >Organizational Domain role.
> >
> >In the case that the tree walk stops higher than the PSL target, which do
> >we believe?    To tilt the decision in favor of the tree walk, we need a
> >token which indicates that the tree walk did not pass over an undocumented
> >private registry.   This will also require a new token on the
> >organizational domain, which is not yet defined.   I see these possible
> >informational signals:
> >- No private registries or organizational boundaries underneath this
> >organizational domain.
> >- All sub-organizations underneath this organizational domain are also
> >documented with organizational domain DMARC policies.
> >- A private registry exists underneath this organizational domain and is
> >documented with a PSD policy.
> >
> >This means that for either exception, a new DMARCbis token is required on
> >the organizational domain.   Consequently, a domain which has not
> published
> >an applicable DMARCbis token should be evaluated using the PSL, and a
> >domain which has published a sufficient set of DMARCbis tokens should be
> >evaluated using the Tree Walk.   This approach also satisfies our other
> >requirement, which is that the tree walk requires an organizational domain
> >policy.
> >
> >I know this is discouraging, because John's original hope was to avoid
> >placing a change requirement on domain owners, but I do not see that it
> can
> >be helped.
> >
> >Doug Foster
> >
> >
> >On Thu, Jun 9, 2022 at 3:18 PM Les Barstow <lbarstow=
> >40proofpoint.com@dmarc.ietf.org> wrote:
> >
> >> Thank you for the history fill-in, John. That does at least explain why
> >> we’re here and not somewhere else.
> >>
> >>
> >>
> >> I will respectfully disagree that the “psd” tree walk standard is
> >> well-defined based on the remainder of my response – that the use of the
> >> “psd” TLA for the tag is unfortunate/misleading and that more
> specificity
> >> is desirable. But having the alternatives eliminated at least gets me to
> >> “it should be in this spec”.
> >>
> >>
> >>
> >> On Thursday, June 9, 2022, John Levine wrote:
> >>
> >>
> >>
> >> It appears that Les Barstow  <lbarstow@proofpoint.com> said:
> >>
> >> >-=-=-=-=-=-
> >>
> >> >[Strong opinion follows]
> >>
> >> >
> >>
> >> >IMO [from April], determination of a DMARC authority boundary
> (registrar, PSD+1, private registry (+1), or internal subdomain
> >>
> >> >boundary) should really be done outside of the DMARC standard
> altogether – a separate DNS lookup not dependent or centered
> >>
> >> >around DMARC, and one flexible enough to respond with indications of
> various levels of authority. It is useful for
> >>
> >> >decentralizing other queries beyond just DMARC (e.g. determining an
> appropriate WHOIS TLD for lookup). Unfortunately, here we
> >>
> >> >are at draft 8 of the new DMARC standard and we have nothing to use as
> a sidecar mechanism.
> >>
> >>
> >>
> >> The DBOUND working group already tried and failed to come up with a
> >>
> >> general way to publish DNS boundaries, so we're not going back there.
> >>
> >>
> >>
> >> >Is there a driving need to have this in the standard NOW?
> >>
> >>
> >>
> >> Yes, of course. The point of writing a standard is to tell people what
> >>
> >> to do to interoperate. The current underspecified fudge which winks at
> >>
> >> the PSL has well known issues since, among other things, the people
> >>
> >> who run the PSL have made it quite clear that it's not designed to
> >>
> >> make DMARC work. It contains plenty of entries which make sense for
> >>
> >> web cookies but not for DMARC.
> >>
> >>
> >>
> >> The tree walk is well specified and doesn't depend on third parties
> >>
> >> who aren't interested in what we want or need.
> >>
> >>
> >>
> >> R's,
> >>
> >> John
> >>
> >> _______________________________________________
> >> dmarc mailing list
> >> dmarc@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dmarc
> >>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email