Re: [dmarc-ietf] ARC questions

Michael Thomas <mike@mtcc.com> Wed, 02 December 2020 23:30 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 941053A15FA for <dmarc@ietfa.amsl.com>; Wed, 2 Dec 2020 15:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Level:
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dovppe2unYSd for <dmarc@ietfa.amsl.com>; Wed, 2 Dec 2020 15:30:09 -0800 (PST)
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D92243A15FC for <dmarc@ietf.org>; Wed, 2 Dec 2020 15:30:05 -0800 (PST)
Received: by mail-pj1-x1031.google.com with SMTP id e5so57021pjt.0 for <dmarc@ietf.org>; Wed, 02 Dec 2020 15:30:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=frJndGBg4PljdPRXFB1KqYuhqqDFqbuyeJjhznmBtNo=; b=vvoZ+Loew2ueICysZfzHi5UwJ3jXLN5dX+kyHN3HI91ZMJWMq7cym6dw1XQ9zaHvar KWobHhYgPlIURrzw5+sM1lArZM0+S8zElTI9oJicfts5VpsuYtc3kGzpFO58DlGQMzji +Bshah0JzXltImvCLjzUhHXHOLYvfA/Hk9lwY5XD904cTcBo4UfTKvenfFv3yLyBc4k3 l61UDIWK7HRcdixAnDYx7zJLZaO3qcbPOwkG48uqCoMDIJVhcBndL82W/JflTPy4EB9S VydV+ABOODKddInyT2i5+/cTXS1B66NWYHF/Auh1UqRkxB/+H5T//oXYkKWqXolceqkS Y3Nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=frJndGBg4PljdPRXFB1KqYuhqqDFqbuyeJjhznmBtNo=; b=VGzj3IYpDnfKOxHHOBvlPC5Rl2UZRiU+pFuWtw1YQhxeAzvTsBzqEtETwQfKa01Twt 18oW5glz5BM5SXq4v1bkFStlyppI9zH8iKhiu0CD7aBAQys59Lnc9mz0T64qymNuRJ2a KslbZywMkCLT4Yo9LwZZHsl27as+8d9bCe4GPbMt7EMFqs6/Eu5vfR0umlfg+eygg81h qnYw/YMNPdnUPo0AmU31RMjuBK/7t7C/GTYpP52YfI97EPTIovNvjmRMJAqxiefyYnmb 97ThJaIe6eFDAHhPUBo4ZG87o61csFEtu/Ex9pvRN0J9KRfRGKWSVOjdM1jE8lOV9OKt eVbQ==
X-Gm-Message-State: AOAM530dUJVHp8wabcixnDGLPCjPeoZKT08gK6Tus4aFML8E1Rwj4sLT n/1T4bYrbhLK6wQWt/9nu1rg0LKqSFCEuQ==
X-Google-Smtp-Source: ABdhPJzQUtiWyUp4dVxdii6hT+h4YBukyVaoJ5846n5Di6IUaEwxKrufF/3Atxm7lejww+dr4k5xIw==
X-Received: by 2002:a17:90a:c4f:: with SMTP id u15mr287214pje.177.1606951804840; Wed, 02 Dec 2020 15:30:04 -0800 (PST)
Received: from mike-mac.lan (107-182-42-33.volcanocom.com. [107.182.42.33]) by smtp.gmail.com with ESMTPSA id x7sm158495pfn.85.2020.12.02.15.30.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 02 Dec 2020 15:30:04 -0800 (PST)
To: John R Levine <johnl@taugh.com>, Brandon Long <blong@google.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <20201124020453.AFDC027CE5C8@ary.qy> <cd855b53-d9bd-3412-3bd5-dc4b7720dc5c@mtcc.com> <CABa8R6s0bfs87Fu9eOq_R3WH1pngauVXrw3RSPe9iWWCtf3AmQ@mail.gmail.com> <c954eadd-5c85-c0d9-2168-8a42de506b72@mtcc.com> <CABa8R6swzAQLPU=xE2tr1W0J5r+w80BSYu87_ubMwHaUMgmKvA@mail.gmail.com> <1eed8278-4efa-4abc-15e0-2efcf014e82e@mtcc.com> <CABa8R6sEk+dHwHjBCKDgcmeT_Z3FymC5+jzy-GGa=7gJYvOf5A@mail.gmail.com> <446d491b-100a-9813-6463-2294f67bbda7@mtcc.com> <aafa5e78-aff9-8076-b76f-62f5b3a13fc1@taugh.com> <4190de2d-9f17-06d5-6354-30c989eecd4a@mtcc.com> <17d886fd-49fd-28d8-f8e4-7caf2e85919c@taugh.com> <f785884b-2a3d-a6fe-6bb6-ee792d23ff23@mtcc.com> <d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <8bc3c7ad-2a42-3eed-524c-8c50b16131c2@mtcc.com>
Date: Wed, 2 Dec 2020 15:30:01 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Ps04jl2ui_JidrigA18z7NntNWg>
Subject: Re: [dmarc-ietf] ARC questions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 23:30:11 -0000

On 12/2/20 2:53 PM, John R Levine wrote:
>> Which could trivially be added as an extension to DKIM and Auth-Res 
>> negating the need for the Seal altogether since DKIM can directly 
>> sign the old (renamed) auth-res. I can understand for an experiment 
>> not wanting to touch dkim or auth-res, but for something standards 
>> track less is more.
>
> I still don't get it.  I suppose the ARC group could have done 
> something to register extra tags for DKIM-Signature and A-R and tried 
> to do something about the fact that if a message passes through the 
> same network twice, the first A-R will be deleted, and try and find 
> and turn off all of the places where mailing lists helpfully delete 
> DKIM signatures that no longer are valid, and what they came up with 
> wouldn't work a whole lot worse than ARC does.
>
> But why bother?  The IANA header field registry currently has 419 
> entries. Why is it a crisis if it increases to 422 rather than 420?
>

It does a lot more than that:

1) It adds two new signatures to an already existing DKIM signature that 
mailing lists add

2) It adds a new security mechanism (Seal) and adds a new attack 
surface, when the old (renamed) auth-res could just be DKIM-signed which 
has been thoroughly vetted

3) It adds a lot more bloat to the headers

4) Signing is a *far* more expensive operation than verifying, and you 
negated any supposed advantage by adding two new signatures to verify 
for lists that unhelpfully strip the original signature

I see a lot of anecdotes and speculation going on here and very little 
hard data. This has been going on for at least a year. Since this is an 
experiment, that is very worrying. More worrying is that I can't get a 
straight answer on what exactly the value is of the mailing list's 
auth-res is to filtering decisions. That seems to be the lynchpin to all 
of this, but from what I'm seeing it's like an article of faith.

Mike