IETF Logo Mail Archive

Re: [dmarc-ietf] Announcing DMARCbis Editors

Hector Santos <hsantos@isdg.net> Tue, 10 November 2020 21:57 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FC5D3A1086 for <dmarc@ietfa.amsl.com>; Tue, 10 Nov 2020 13:57:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=IF84fPnH; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=dnJLrFWR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0LGiuA3X5hAA for <dmarc@ietfa.amsl.com>; Tue, 10 Nov 2020 13:57:06 -0800 (PST)
Received: from mail.winserver.com (mail.santronics.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4A443A1082 for <dmarc@ietf.org>; Tue, 10 Nov 2020 13:57:05 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4583; t=1605045423; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=n+TE0yg7PZ521aNSTokrLZZNB5Fk M9m62EV6GpHn1yI=; b=IF84fPnH4ciAYjW9QoFyBx7clmF6sZZESulopi5bOYA4 u50VEV1e8JH35Oagqw+xin71BYoLbOS1tG8BToOVjrH5wwvsBdgQOOmO14xloDOg +u19Ud/0CvgSFzKp10acTyT/AKoJEVUsEzXt6tU/3C1tp8HHQZ2NrTz6PVCGIqg=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 10 Nov 2020 16:57:03 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 2780503524.1.3708; Tue, 10 Nov 2020 16:57:02 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4583; t=1605045132; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=n+TE0yg 7PZ521aNSTokrLZZNB5FkM9m62EV6GpHn1yI=; b=dnJLrFWRElKNXG2fNBONTjL v5PTwgMpXxqNlepg6M/I5AxncZ5B9cZZlRhkh7YbWueTvX+sQWdlwpNzfGxpZ7gK svuvykWkyGDHwwDACJ9cjQC56KnUiWnMiq25m/6QkCPsN+b7pgSFk2vHE76IbaWg QFw/UEkJDfWsQzjgnhc8=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 10 Nov 2020 16:52:12 -0500
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 2647403813.1.5260; Tue, 10 Nov 2020 16:52:11 -0500
Message-ID: <5FAB0CAD.4090809@isdg.net>
Date: Tue, 10 Nov 2020 16:57:01 -0500
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Jim Fenton <fenton@bluepopcorn.net>, Steven M Jones <smj@crash.com>
CC: dmarc@ietf.org
References: <CAOZAAfOt0gH7HELPgNTyo--GbLWpSVx-94Ea-MSpdCq_0CT3KA@mail.gmail.com> <5A7444DD-385E-44E3-BAAF-BE87AE5FDA61@bluepopcorn.net> <CAHej_8=vGTd5Gqn0=unidGLeMTHQOFsSCK5_Gk9BoUDPULdfSQ@mail.gmail.com> <3676bcc9-8c7f-102a-f844-d08d6914077e@tana.it> <CAOZAAfOi9SgMJipeyBCPe0YHnRCbQX4_w1hupP2PPHLoNzQChw@mail.gmail.com> <6460DF58-84E9-4390-9268-A7492476E0F3@bluepopcorn.net> <00c2d38b-914b-274f-af3f-c0c808de37e4@crash.com> <FCB2C3DD-74BD-4C8D-B6B1-1A146CCB2E2F@bluepopcorn.net>
In-Reply-To: <FCB2C3DD-74BD-4C8D-B6B1-1A146CCB2E2F@bluepopcorn.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/QYAZduU9r-iFCRxvZpwM3QXzQzw>
Subject: Re: [dmarc-ietf] Announcing DMARCbis Editors
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 21:57:10 -0000

On 11/9/2020 6:04 PM, Jim Fenton wrote:

> On 7 Nov 2020, at 20:12, Steven M Jones wrote:
>
>> Okay, but what is the expected payoff from splitting it out? Does it
>> make it easier to process and approve updates of the policy content
>> separately from, say, the description of record discovery or
>> Alignment concepts? Easier to pass muster for Standards Track? Are
>> implementers currently confused and dissuaded by having policy
>> details mixed with the other content?
>>
>> If the benefits seem worthwhile, I could get behind the split - but
>> there ought to be a clear benefit.
>
> The benefit I have in mind is that reporting does not cause issues
> with indirect mail flows (the addressing of which is item 1 on the WG
> charter), so it can proceed even while there isn’t WG consensus on how
> to solve that problem for the policy piece. Or in the extreme case, it
> can proceed even if IESG considers the policy piece to not have an
> acceptable solution.
>
> Of course, if the solution to the policy piece is likely to affect the
> discovery/binding of the policy and reporting, which would be in the
> base document, this argument doesn’t hold.

My view.

I was the 2nd on Jim's proposal to split DMARC.  I presumed the obvious:

- DMARC-BASE
- DMARC-REPORTS  (optional reporting features. Not required)

DMARC-BASE is the base policy protocol based on the DKIM-POLICY model 
as was DKIM-SSP and DKIM-ADSP.  All these proposals used the required 
DKIM 5322.From domain identity binding as input for a DKIM Policy 
model.The DKIM Signer Domain identity is input for an Reputation 
lookup that never materialized. DKIM-VBR is the closes thing we have 
to a IETF proposed reputation lookup for DKIM.  DKIM-VBR does the 
Author and Signer as input.

I favored the split for the same reasons DKIM was split into two WG PS 
work items:

- DKIM-BASE   was the base signing/verification protocol,
- DKIM-POLICY where DKIM-SSP was the draft proposal on the table.

The split allowed DKIM-BASE to be completed and now we have a DKIM STD 
document.

Fenton was the editor of DKIM-SSP. It evolved to DKIM-ADSP which was 
abandoned and the DKIM WG ended.  It was replaced with DKIM-DMARC as 
an Informational Status document.

Keep in mind that DKIM-SSP covered 3rd party policies with an "o=" tag:

SSP Draft:

    o=~  NEUTRAL (signature optional [No 3rd party?])
    o=-  STRONG  (signature required, 3rd party allowed)
    o=!  EXCLUSIVE (signature required, no 3rd party)
    o=.  NEVER  (no mail expected)
    o=^  USER

WG Suggestions:

    o=?  WEAK (signature optional, no third party)
    o=~  NEUTRAL (signature optional, 3rd party allowed)


Due to the ambiguity of the 3rd party policies and the lack of a 3rd 
party authorization protocol, Levine rewrote DKIM-SSP draft 3 titled 
DKIM-ASP and by draft 10, it became DKIM-ADSP.

ADSP stripped the 3rd party semantics and pretty much left an 
EXCLUSIVE policy with ADSP DISCARDABLE policy.

DMARC also offered a similar exclusive signing policy and also 
reported as well.

Fast forward to today.  I believe the charter is touching based with 
the 3rd party resigners design issues. So we are back to a situation 
where we may have three documents:

- DMARC-BASE      base protocol for current strong 1st party policy,
- DMARC-REPORTS   optional reporting
- DMARC-TPA       Third party Authorization proposals.

The DMARC-TPA should cover ATPS, ARC and hopefully conditional 
signatures. However, based on the charter, it outlined specifically:

* Incorporate ARC or something that deals with indirect mailflows

This work item was lumped into DMARC-BASE.

My position is this:

I believe ARC or "something that deals with indirect mailflows" that 
is not well defined or has not gained traction as a TPA solution, 
should not be included in DMARC-BASE.

DMARC-BASE should be independent of any other add-on but it should 
allowed for Tag Extensions to support TPA concepts included ARC, ATPS 
and conditional signatures.

In my opinion, this is a best way to get DMARC-BASE fast tracked to 
standardization. DMARC-TPA or DKIM-TPA can be a separate doc that 
specifies add-on DMARC augmentations which are designed to help 
address the long time 3rd party resigned and authorization issue.

While I personally, and I believe ideally, prefer ATPS be included in 
the DMARC-BASE protocol, due to the lack of WG support, I rather get 
the DKIM-BASE 1st party semantics completed first.

Thanks

-- 
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos

v2.23.0 | Report a Bug | By Email