Re: [dmarc-ietf] third party authorization, not, was non-mailing list

[Alessandro Vesely <vesely@tana.it>]

On Tue 25/Aug/2020 20:13:46 +0200 John R Levine wrote:
> On Tue, 25 Aug 2020, Dotzero wrote:
>>>> I would expect there to be multiple potential approaches to identifying
>>>> acceptable intermediaries.
>>>
>>> The harder part is to decide which intermediary gets to re-sign which
>>> message at the time you apply the weak signature.
>>
>> It would have be the domain in the "To" field.  It wouldn't work with
>> random unknown intermediaries. It would address the MLM issue as long as
>> the MLM domain is the same as the "To" domain when the message was
>> originally sent. It could also presumably work for vanity domains if they
>> DKIM sign. It wouldn't work for forwards on the receiver side that the
>> sender is unaware of.
> 
> If the list is somelist@lists.foo.org, does the signature have to be 
> d=lists.foo.org?  How about d=foo.org?
> 
> On the flip side, do you put a weak signature on all of your outgoing mail, 
> which seems like a bad idea, or just mail that you expect to go through list 
> modification?  In the latter case, how do you tell?  These are the scaling 
> problems that I fear make this unworkable.


https://tools.ietf.org/html/draft-levine-dkim-conditional-03#section-4.1 looks 
quizzical.  It says:

    A small sender that doesn't know which of its mail recipients are
    likely to be forwarders might put a weak signature on all outgoing
    mail, in the expectation that few of its users correspondents are
    likely to be malicious.

If a sender has no idea, what domain would it put in fs=, the recipient's 
domain?  That entails that a signing filter acts in an advanced SMTP step, 
where the connection to the MX is established and the receiving domain known.

Also, in the previous paragraph:

    A sender that expects a message to be forwarded might put both a
    conventional DKIM signature and a signature with a !fs tag that
    refers to the domain name of the expected forwarder.  That signature
    would typically be a "weak" signature that covers the From, To, Date,
    and Message-ID headers but does not cover the Subject header or the
    message body, so that it would remain valid even if a forwarder made
    changes typical of forwarders such as mailing lists.

I understand that nobody can prevent a sender to put a conventional DKIM 
signature, even if it expects the message to be forwarded.  However, if the 
scenario gets upgraded so as to consider that the sender /knows/ that the 
message is going to be forwarded, then the conventional signature is pretty 
useless, as forwarding will break it.  How about this:

    A sender that expects a message to be forwarded might well skip putting
    a conventional DKIM signature and put just a signature with a !fs tag that
    refers to the domain name of the expected forwarder.  That signature
    would typically be a "weak" signature that covers the From, Date, and
    Message-ID headers but does not cover the Subject, To, or Cc header fields,
    nor the message body.

(To: and Cc: are often reordered, which breaks signatures.)

Finally, IMHO the Security Consideration section should compare using !fs= 
versus plain weak signatures.  In particular, consider senders who carefully 
avoid to send out weak signatures except for trusted (forwarding) recipients. 
Would it be advisable to put both a plain weak signature and a signature with 
!fs=?  Plain weak signatures might be discarded by recipients with local 
policies about l=, while v=man signatures might be discarded by unupgraded 
verifiers.  Putting two signatures together is rather common in the presence of 
new features, e.g. those who use elliptic keys do so.  What is the difference 
between the risks brought on by each kind of weak signature?  Answering such 
question justifies the version change.


Best
Ale
--