Re: [dmarc-ietf] DSAP "DKIM Sender Authorization Protocol" for DMARC
Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 19 April 2023 10:57 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C48FC13AE2A for <dmarc@ietfa.amsl.com>; Wed, 19 Apr 2023 03:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Y0KL6iKX3hO for <dmarc@ietfa.amsl.com>; Wed, 19 Apr 2023 03:57:02 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A73DDC14EB19 for <dmarc@ietf.org>; Wed, 19 Apr 2023 03:57:02 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2a8afef50f2so26955761fa.2 for <dmarc@ietf.org>; Wed, 19 Apr 2023 03:57:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681901821; x=1684493821; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=hbew7wL+4I/AGQ8yldTigcat6k/YWh/I8h/WzRitZfU=; b=Vnh2UFqtLlphm+JFBzyFvdI5nL8RKDDyHA0WSyUcX4jkvt+czka6rJEipRgqUJSwFo JIb1NYazocaj7Fk5Cowgsk7BdG4VTQVgPNrNk+hHSVcq6T8c3XeoXNUwLaNvwf9ZgBWF ZqefFofL6Ijc4E60g3w8uyBx/79ahO5UEOrKmrz8uoYimrH9CkyVBdhazKuPHHFmC+Bk A9WpM+wtDnVMSG7RRSwmpcQEPtxKhL1488iq79jcEnC66anober+G8xRQiAfIDkEM2YH ZM4vQ5zK1ig9iFFHyW2m4PFPBPtTESwpLY4HaxAccqr/T6CzN4u2t7jkjy8PokIx4/qD aJgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681901821; x=1684493821; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=hbew7wL+4I/AGQ8yldTigcat6k/YWh/I8h/WzRitZfU=; b=LykkaAaySgkYPZrORIh82LrlrJTGeWej2UMz4tPXjbZ9i9bLMh8AjlvV4IsUu9/o58 7eHpDMd5UfAF+6gxYRUgf3fgsgJ2+7BJHNo8rarXQ5e+CAf7NujKp59vY3zbNTv9WxDD juztUizbDq0CLqvfKmfeqp8F/UDDizUeOsQSS/sicqR9lw+FWoqvtrvqz1SA56gcrkVv U+GdPxfaxo45v9YZh13N7vqpoyitOQDhkZ4naGZpA3OK62CBUYFSG6tHO7g0VhPmoJPC 0qgjhy73QqRZRXcyY7er6G2STcb0XuwX4sUcMIcs3S9aQjum4noE0quXY54jwkimT+f5 getA==
X-Gm-Message-State: AAQBX9eWVnxbdKzWUbb66a9XhJOf1hLj1jJf2ClQii33J45DxmkMzDNK y3YwHLFEBY8WsMmmUW1uDxOj8DHHje0mdlev3WA=
X-Google-Smtp-Source: AKy350ZbFS+TfRS30nZrzl+mxbDHc/vk2dDHAaB2+CMWS5NrP+22xpmygaejVYEw/fTU9Zx/pT8CfGsciZ99W1IiYss=
X-Received: by 2002:a05:6512:517:b0:4eb:a8c:5f22 with SMTP id o23-20020a056512051700b004eb0a8c5f22mr4101531lfb.5.1681901820679; Wed, 19 Apr 2023 03:57:00 -0700 (PDT)
MIME-Version: 1.0
References: <835E8C7C-431F-43A4-96DC-C3ED37325DFF@isdg.net>
In-Reply-To: <835E8C7C-431F-43A4-96DC-C3ED37325DFF@isdg.net>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 19 Apr 2023 06:56:49 -0400
Message-ID: <CAH48Zfx0Qn2xxfovieoqMomOZFLrbY45JNQowZ4d4jUi46bAcg@mail.gmail.com>
To: Hector Santos <hsantos=40isdg.net@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000919c7605f9ae4839"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Pjx3AU4pGSOhqRbVoUkfi3_TW8M>
Subject: Re: [dmarc-ietf] DSAP "DKIM Sender Authorization Protocol" for DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2023 10:57:06 -0000
Hector, does your proposal allow for constrained delegation? I think we have a problem if this type of third-party signing allows any account at the list domain to impersonate any account in any participating domain. DF On Sat, Apr 8, 2023, 2:01 PM Hector Santos <hsantos= 40isdg.net@dmarc.ietf.org> wrote: > Summary: > > I would like to reintroduce the DSAP (DKIM Sender Authorization Protocol) > as a DMARC extended tag extension -dsap. The original DSAP draft covered > nine 1st vs 3rd party signature policies from a verifier viewpoint, which > addressed boundary conditions for DKIM signatures. The reintroduction aims > to address concerns regarding 3rd party resigners. > > Key changes proposed for DMARC integration: > > o Introduce -dsap tag for DSAP support, covering a complete range of > possible policies. > > o Use -asl tag for inline list of authorized signer support. > > o Implement -atps tag for ATPS support. > > o Formalize the From rewrite logic with a -rewrite tag. > > o Introduce -target tag to assist mail forwarders with authorized > redirection of exclusive policies. > > The proposal seeks to offer better integration with today's wide range of > mail applications, building on the existing DMARC protocol and improving > 3rd party authorization and reporting. > > > Background: > > In 2006, I submitted an I-D DSAP “DKIM Sender Authorization Protocol” that > covers the boundary conditions for 1st vs 3rd party signature > expectations. There are nine 1st vs 3rd party signature policies in DSAP > from a verifier viewpoint: > > Original 1st Party Signature (OPS) > Not expected (-) > Expected (+) > Optional (~) > > Third Party Signature (3PS) > Not expected (-) > Expected (+) > Optional (~) > > Using these expectations, DSAP can cover most if not all possible Boundary > Conditions for DKIM signatures. > > I would like to re-propose DSAP but this time as a DMARC extended tag > extension `-dsap` as I believe it can address our concerns regarding 3rd > party resigners. > > Here is the 2006 DSAP proposal I plan on updating to support DMARC and > ATPS: > > https://datatracker.ietf.org/doc/html/draft-santos-dkim-dsap-00 > > History: > > The DKIM Policy Model began with SSP “Sender Signature Practices/Policy.” > This image illustrates the overall process: > > > [image: SSP Overview] > > Many today do not realize the original DKIM included Signature Policy > protocol called SSP. It was spit into DKIM-BASE and DKIM-SSP to help > speed up the process. DKIM was well defined but SSP was not. SSP covered > various signing scenarios, however, there were 3 policies missing which > DSAP covered: > > [image: v3_slide0022_image050.gif (392×199)] > > The DMARC protocol offers an exclusive only policy with > p=reject|quarantine. This would be a -dsa=OP+,3P- policy With DMARC p=none, > no other policy possible in terms of expectation other than an unhandled > failed exclusive policy. So DMARC is very limited making it a very to > integrate with today’s wide range of mail applications. > > DMARC also introduced two more takes that I would like use replaced with > DMARC and ATPS. > > For Reporting, DSAP provides tags for failure reports. This is now > well-defined with DMARC. [DSAP only considered failure reports]. > > For 3rd party authorization, DSAP provided the -asl tag. The asl tag was > an inline small domain list tag. But it can also signify a check using > ATPS for higher scale applications. > > Everything would be the same with DMARC and DMARCbis. The change would > be: > > -dsap tag for DSAP support for the complete range of possible policies. > > -asl for inline list of authorize signer support > > -atps for ATPS support > > I would also like to formalize the From rewrite logic with a tag: > > -rewrite > > Which tells a resigner it may rewrite the From under certain conditions. > > -target is a new tag to help mail forwarders. > > DMARC has considerations for SPF results with a strong alignment > requirement. One scenario where a -dsap=op+,3p- is with SPF hard failure > during mail forwarding. The -target will allow a forwarder to resign as a > 3rd party without -asl or -atps requirements. > > — > Hector Santos, CEO/CTO > Santronics Software, Inc, > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] DSAP "DKIM Sender Authorization Prot… Hector Santos
- Re: [dmarc-ietf] DSAP "DKIM Sender Authorization … Douglas Foster
- Re: [dmarc-ietf] DSAP "DKIM Sender Authorization … Douglas Foster