IETF Logo Mail Archive

Re: [dmarc-ietf] Simple authorization offers reasonable control over messaging resources

Terry Zink <tzink@exchange.microsoft.com> Fri, 15 May 2015 06:27 UTC

Return-Path: <tzink@exchange.microsoft.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD851ACE6C for <dmarc@ietfa.amsl.com>; Thu, 14 May 2015 23:27:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gkMpmSlWfy-U for <dmarc@ietfa.amsl.com>; Thu, 14 May 2015 23:27:09 -0700 (PDT)
Received: from na01-by1-obe.outbound.o365filtering.com (na01-by1-obe.ptr.o365filtering.com [64.4.22.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43CC01ACE63 for <dmarc@ietf.org>; Thu, 14 May 2015 23:27:09 -0700 (PDT)
Received: from BL2SR01MB605.namsdf01.sdf.exchangelabs.com (10.255.109.167) by BL2SR01MB604.namsdf01.sdf.exchangelabs.com (10.255.109.166) with Microsoft SMTP Server (TLS) id 15.1.172.7; Fri, 15 May 2015 06:27:06 +0000
Received: from BL2SR01MB605.namsdf01.sdf.exchangelabs.com ([169.254.5.234]) by BL2SR01MB605.namsdf01.sdf.exchangelabs.com ([169.254.5.234]) with mapi id 15.01.0172.012; Fri, 15 May 2015 06:27:06 +0000
From: Terry Zink <tzink@exchange.microsoft.com>
To: Douglas Otis <doug.mtview@gmail.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Simple authorization offers reasonable control over messaging resources
Thread-Index: AQHQjpqwTsF5j4YCp0ahJkVLZQMWO518kDbA
Date: Fri, 15 May 2015 06:27:05 +0000
Message-ID: <BL2SR01MB6053E364068BFB0855BA5C996C70@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
References: <554BC30F.1020107@isdg.net> <554BE12A.7010606@isdg.net> <26011.1431106173@vindemiatrix.encs.concordia.ca> <554D3D1E.9050509@isdg.net> <27522.1431236028@vindemiatrix.encs.concordia.ca> <CAL0qLwYeWuovoCnK-Fo9PMajmAgRsxjpXav=ZuDL2A7jm2YLuw@mail.gmail.com> <14447.1431266709@vindemiatrix.encs.concordia.ca> <CAL0qLwbE_30cYWyRXCXkFbw4EMjwX-cy=48+o+c4qyrJY4LeLA@mail.gmail.com> <CAL0qLwbH6qTWhWVjpFAKmYU_fTdx8Hyy1PrE0ztLvG=3xmP_TA@mail.gmail.com> <554FEBB4.5050805@gmail.com> <CAL0qLwaVJY8eecoXV_Ctsxu5D5k+K6sg0dsQZtxafA22s4N1Vg@mail.gmail.com> <5550FB6C.7050802@gmail.com> <55518F96.8040708@isdg.net> <55529DFB.3010704@gmail.com> <87a8x92q7g.fsf@uwakimon.sk.tsukuba.ac.jp> <5553C44C.7040307@gmail.com> <87vbfv2480.fsf@uwakimon.sk.tsukuba.ac.jp> <CAL0qLwZwnopXBvC5XUMV1tkw43eDrf1PJu0EduND_-v_ku8dFw@mail.gmail.com> <87mw171trj.fsf@uwakimon.sk.tsukuba.ac.jp> <CAL0qLwbBeQw3AgOM+MVmQyQoJNc15-vX2vBY9n2JheDgVJxFwQ@mail.gmail.com> <55552A6C.5060101@gmail.com>
In-Reply-To: <55552A6C.5060101@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [75.165.40.56]
x-microsoft-exchange-diagnostics: 1; BL2SR01MB604; 3:6OGFkxe3DSugf2cl/RBHI4dSMUKZB0VTAqs8rBz4uC9kIFrwkpB7y1J5R6QGWK2qHPKTayDicozU03voroMt90CRb8kcPV88UTLfqrtVBoKLFRgYi22nFMOacnxkwCa4CCaoaNjPW8NumJpU3sJktg==; 10:kOhLMA+jRRqyxlvuLl1IGSC2ZqFm91N3k8U4qOxaGXSNTzB6E0kog1YYSpzaZVlCofmKbjonsSgOWuxhAY08WmFu0my3vCPFjM0zAwc6eF8=; 6:UTCVv63xSJoIpbLjrkrS8gDfF0L1h/YUd2NgRQ+Qe0HYXrupOUPtxkNkM2gWkVk4
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2SR01MB604;
x-microsoft-antispam-prvs: <BL2SR01MB604CF36DAA04A3B8AB043C696C70@BL2SR01MB604.namsdf01.sdf.exchangelabs.com>
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(51704005)(377454003)(24454002)(13464003)(189002)(199003)(479174004)(2950100001)(105586002)(97736004)(5001860100001)(106116001)(106356001)(54356999)(76176999)(50986999)(5001770100001)(5001830100001)(5001960100002)(107886002)(2900100001)(19580405001)(19580395003)(86362001)(15975445007)(68736005)(102836002)(4001540100001)(81156007)(92566002)(87936001)(2501003)(2656002)(101416001)(64706001)(66066001)(93886004)(77156002)(62966003)(33656002)(46102003)(189998001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2SR01MB604; H:BL2SR01MB605.namsdf01.sdf.exchangelabs.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(5005002)(5002009)(3002001); SRVR:BL2SR01MB604; BCL:0; PCL:0; RULEID:; SRVR:BL2SR01MB604;
x-forefront-prvs: 0577AD41D6
received-spf: None (protection.outlook.com: exchange.microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tzink@exchange.microsoft.com;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: exchange.microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2015 06:27:05.7225 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f686d426-8d16-42db-81b7-ab578e110ccd
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2SR01MB604
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/QNXUPNxRrmnVUDZ9PsSEQlaTYfM>
Subject: Re: [dmarc-ietf] Simple authorization offers reasonable control over messaging resources
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 06:27:12 -0000

> The Sender header field when present has been defined for
> decades to represent the sending agent!

Maybe, maybe not. Outlook desktop client shows the Sender: header as "<sender> on behalf of <5322.from>", but neither Hotmail/outlook.com nor Gmail do. They just show the 5322.From address regardless of whether or not there is a Sender: header. This Sender: DMARC fix requires a change in the way these clients render email. Given the marginal additional benefit to  receiving mailing list traffic that won't implement any of the published workarounds (not modifying content, fiddling around with Reply-To and From addresses, changing the From: domain to be the mailing list domain), I can't see why Gmail or Hotmail would want to make a change like that. I agree with Murray that it isn't worth pursuing, the cost/benefit ratio isn't there.

> Again, we will happily help any large ESP configure and
> maintain their services to make use of this scheme and even
> offer the needed resources.

Doug, who is this "we" you keep referring to who will happily maintain someone else's DNS zone? Your employer? Are you volunteering them on their behalf? Is this a free service of theirs? If not, why would anyone agree to a solution that is hard to manage at scale but, lucky for you, just so happens to benefit your employer?

The TPA authorization DNS zone publishing has been pushed by yourself and another board participant and has received universally negative feedback, or at best neutral feedback. The people here are smart and have as much experience as anyone else and they understand what you are saying. But they still don't agree, including me. I think it's time to make like the movie Frozen and let it go.

-- Terry

-----Original Message-----
From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Douglas Otis
Sent: Thursday, May 14, 2015 4:06 PM
To: dmarc@ietf.org
Subject: [dmarc-ietf] Simple authorization offers reasonable control over messaging resources



On 5/14/15 4:54 AM, Murray S. Kucherawy wrote:
> On Thu, May 14, 2015 at 12:51 AM, Stephen J. Turnbull <stephen@xemacs.org>
> wrote:
>
>>  > What gets added from here forward really needs to be as innocuous
>>  > as possible.  I believe we're in a position where things like SPF
>>  > and DKIM are still young enough that their implementations are
>>  > malleable,
>>
>> I'm not sure what you mean.  Now that I actually know what those
>> protocols do (and DMARC itself, for that matter), I don't really see
>> how they can be much improved.  Do you mean the policy engines that
>> make decisions based on the output of SPF and DKIM implementations?
>>
> I'm saying that incremental changes to DKIM, SPF, and DMARC are far more
> likely to succeed than anything along the lines of "Everyone start using
> and paying attention to Sender", "Let's register yet another Sender-type
> field", or "Registration scheme X".  The operational changes required for
> those three families of solutions are too enormous and involve too many
> wildcards for me to believe they stand a chance of success.
Dear Murray,

The Sender header field when present has been defined for
decades to represent the sending agent!

DMARC improved delivery registration accuracy for
TRANSACTIONAL messages based on the SMTP MailFrom parameter
(bounce address) or DKIM (unrelated to any field) where
either is allowed to fail.  For TRANSACTIONAL email,
combining these two marginal authorization schemes easily
adjusted to relate with the From header field offered a low
percentage authorization failure to better ensure compliance
with a restrictive policy.  The expediency this allowed did
not justify disrupting valid and legitimate exchanges not
limited to transactional or direct messaging configurations.

Neither DKIM nor SPF authenticate an actual message source,
but simple authorization offers reasonable control over
messaging resources.  DMARC is fine when messages are
limited to direct exchange, but fail badly when exchanges
make use of the Sender header field that may signify use of
mediators or other resources.  At one time DMARC even
recommended against issuing non-transactional messages, but
acknowledgement of DMARC's potential disruption of normal
email interchange was dropped.

Commercially available products for years have been able to
clearly indicate the entity trusted at providing a message. 
It seems DMARC assumes recipients are too easily misled and
can't be trusted to deal with S/MIME, OpenPGP, or MUAs that
verify and display the Sender header field and think
everyone is better able to deal with munged From header fields.

The TPA-Label is able to thwart wildcards simply by
publishing a negative wildcarded label.  A practice that
won't work with DNS-SD.  A sender must have reasonable
control over the resources they authorize.  Any double
signing scheme relaying authorization to a third-party via
DKIM can not control the authorized resources since the
entire message body may change and DKIM can be replayed to
any destination by design.  Without adequate control,
authorization protections fail simply because neither SPF or
DKIM are able to authenticate the source, nor can DKIM offer
an expedient authorization retraction in say a 5 to 15
minute range.

While I commend efforts made at fleshing out your version of
the ATPS protocol, due to the inherent hurdles introduced
for third-parties it was unlikely this scheme would be
adopted.  The lesson is DKIM offers a poor method to signal
changes beyond those already expected.

There was no reason to change how a third-party is verified
since they too can use DKIM and SPF or even DANE or the HELO
parameter for that matter.  The correct place to signal such
change is at the DMARC assertion.

See Third-Party Authorization example of:

"sam=tpa; and tpa=third-party-authority.example.com;"

https://tools.ietf.org/html/draft-otis-dmarc-escape-02#section-4

This scheme involves a simple DNS server operating an
isolated zone separated from other domain services and can
even be published by a different domain.

This approach allows the _tpa zone to be maintained as a
community effort or as a specialty service to ensure the
sender has reasonable and nearly immediate control over the
resources they authorize.

By being able to include policy for the Sender header field,
DMARC can become compatible with RFC5322.

While some might describe this a complex authorization
scheme, it can be combined with
<https://tools.ietf.org/html/draft-levine-dkim-conditional-01>
draft-levine-dkim-conditional to offer a resource record
where only the base portion of the domain might be included
to guard against domain hash collisions.

TPA-Label that had the goal of reducing collateral damage
caused by compromised accounts or resources, can be combined
with draft-levine-dkim-conditional to signal when this
limited signature should be included and which domain needs
to be authorized.  Because this uses very simple resource
records, is should scale far better than SPF and yet permit
a means to establish an informal federation scheme to better
protect email infrastructure with low latency abuse responses.

TPA-Label does not make handling third-party messages
harder.  Instead, TPA-Label offers a simple way to signal
which domains require exceptional handling.  Without such a
feature, DMARC can not be seen as being compatible with
RFC5322. 

Again, we will happily help any large ESP configure and
maintain their services to make use of this scheme and even
offer the needed resources.

Regards,
Douglas Otis


_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email