IETF Logo Mail Archive

[dmarc-ietf] Re: Discussion Thread for Issue 155

"Murray S. Kucherawy" <superuser@gmail.com> Thu, 24 October 2024 14:54 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66690C1D4A6D for <dmarc@ietfa.amsl.com>; Thu, 24 Oct 2024 07:54:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhMB6yVNXoMb for <dmarc@ietfa.amsl.com>; Thu, 24 Oct 2024 07:54:54 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDB16C1CAE69 for <dmarc@ietf.org>; Thu, 24 Oct 2024 07:54:54 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a9a0ec0a94fso131897466b.1 for <dmarc@ietf.org>; Thu, 24 Oct 2024 07:54:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729781693; x=1730386493; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=mwNcdtaa7NMzWS2SIT7NrjgVlCyiM3ls3rhRe5aSWS0=; b=BJTzhKe4J4O55WFAMEllnBL/Ee1y2RdRLUmQYjnACbQtjXVTuRe56B6V+O7ZlwAbOD 63PIFNXHxpbJk2b42hGzkvupkEaAvG/biRpIx2GekNO+6ADuiLtaAz/Q0Uhxv17351Dj wmO5SeWVUTSLNzL2qa4Krd+Snj73hheHYbieJ8udg2fNK+SL3bkdh1DLRPnzbvogVCNK YNJJ2F/L3Q9byENLCXVtGPVluwa3KrA2bw5UD9a9YRntCnSkyFVWAWAV1wK1pub61yQ/ o/ETKCsivIEI8dU/SXmJAkQ0AkhgGTXOnufO71v+VK8pr067pvy0wO02oLv1NbvfCeBp 7F1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729781693; x=1730386493; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mwNcdtaa7NMzWS2SIT7NrjgVlCyiM3ls3rhRe5aSWS0=; b=imWL/3/eauoxsgVuyfaR/mkhYcaqZG6/rNaO931cAAQ8UkvhmizLfGnGSckKfDD6pR pjvV2fddNs6B3rKnLF2D8+8pG8u7YJTTloTgP45hZ6fadmHlR9KyZ3vISsSqJ5d8wTpp 0zgnUi2TvXZ6Lq2tDasLddPgqYnPMQW9Y5QDXuIa/WpxMwJYyMrZapHMbqxV9N/Iaa47 RchzfIXJKukdISJmUUOOZJKVNGY0WD3tZ8KUKHsijZFl313tl6jByYmbuWfH2hefx4dT Z7Fk/NoQdc1ciKgwheZvHRRIwkq0qeJZCxj46Dxk2Yc0iNSpyF1KbL65cmDKXa6UfKbG pPQA==
X-Forwarded-Encrypted: i=1; AJvYcCU6wCRKEsNqtrRX0xVZ9+fEs7Yjrc72hlFSuIICNDDkynotMkBeUJrJpOyGqOMG+UFgIjDtRQ==@ietf.org
X-Gm-Message-State: AOJu0Yz4zbkH9AZgLvZJGJeIxAkgO7NxENZzyWlFWseSuC2pBfvNJ3hI HZC0H7Xd2WWJR7mDQCYILx5ikW0fn2NzEeukSaCWGAuWeF63RTyLSZ5/SkjBvjlZe6TS1vUcm95 1NnqmilKF8ZEDAVWSUuibG4/nBeyTqw==
X-Google-Smtp-Source: AGHT+IGKd4aA0uggZqcYttuGb8K5bTqTJSLL1hzT3wouYthErk6kHmYUzozhwm0+eVnO56m2KaUiPcWc71sHcPDFlIY=
X-Received: by 2002:a17:906:6a09:b0:a99:e600:7e06 with SMTP id a640c23a62f3a-a9ad2814458mr226519066b.51.1729781692841; Thu, 24 Oct 2024 07:54:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8=Gs0XURT4UVrKxxfc45BtVDmPRgGT9rvxDHBbzbd-0bw@mail.gmail.com> <CAL0qLwY0PjxkTAkSEwB_s6KgAODFAB8z665wKY-pLJ16UT8oXA@mail.gmail.com> <21B7963C-1CBC-4017-98D7-77749FDA6B3E@bluepopcorn.net> <CAL0qLwYqrf=G2ws1e05EUS2JSaU=KyhcXF8OUJ5aXV4nvKXVFA@mail.gmail.com> <bbfe0737-b8af-412c-9d98-a31c29b8c175@crash.com> <CAH48ZfzP+G66H0GMu3e2L5Es0T_3hiHwwHKbMfNHkz8D2HFLoQ@mail.gmail.com>
In-Reply-To: <CAH48ZfzP+G66H0GMu3e2L5Es0T_3hiHwwHKbMfNHkz8D2HFLoQ@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 24 Oct 2024 07:54:39 -0700
Message-ID: <CAL0qLwbTMhMP8srKwBCzi0Y8C=PaBFbbNY7d0ji6XXLWMgx6kw@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000057470d06253a2fb1"
Message-ID-Hash: KZPOGW7463LX5F75NN6KUPWSUKLJE366
X-Message-ID-Hash: KZPOGW7463LX5F75NN6KUPWSUKLJE366
X-MailFrom: superuser@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dmarc.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Steven M Jones <smj@crash.com>, dmarc@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [dmarc-ietf] Re: Discussion Thread for Issue 155
List-Id: "Domain-based Message Authentication, Reporting, and Compliance (DMARC)" <dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/RVZgwvFO2pgQaOZjZB7Hu-qiFk4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Owner: <mailto:dmarc-owner@ietf.org>
List-Post: <mailto:dmarc@ietf.org>
List-Subscribe: <mailto:dmarc-join@ietf.org>
List-Unsubscribe: <mailto:dmarc-leave@ietf.org>

On Thu, Oct 24, 2024 at 4:34 AM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> The necessary first step is to acknowledge that RFC7489 is a heuristic,
> and like all heuristics, it will make mistakes.   So the interesting work
> is determining how to detect and correct mistakes.
>

Please explain how Section 7.4 falls short of this "necessary" step.  I
agree that it would be nice for DMARCbis to admit these weaknesses while
also presenting comprehensive mitigations, but the latter is not always
both possible and standards-worthy.

It's perplexing that you make these proclamations in the presence of
contrary evidence and repeated explanations.

>From a security standpoint, authentication is a binary Pass/Fail issue.
>  There are not 4 types of failure.   Because any unauthenticated message
> MIGHT be a malicious impersonation, the most secure response to an
> unauthenticated message is quarantine.   But you cannot do that early in
> the rollout process because you will be overwhelmed by the quarantine
> volume.    So you triage, and let some unauthenticated messages through
> sender authentication and hope that content filtering catches the worst
> stuff.   But if you do things right, the quarantine volume shrinks steadily.
>

In my view, you've basically restated Section 7.4 here.


> You cannot afford to investigate the same quarantine issue over and over
> again.   So every quarantine investigation needs to lead to an allow/block
> decision, and the result of an allow decision is to provide alternate
> authentication in local policy.   (Alternate authentication does not mean
> whitelisting to bypass content filtering.)
>

This is operational advice.  I would argue we don't need to spell this out
because it's out of scope of the protocol itself, but if the WG decides to
add text of this sort either here or in a best practices document, that's
fine.

I asked before and never got an answer: Do you have a draft available that
collects all of this advice and mitigations?  Or are you expecting the WG
to do this on its own?

I don't want to step into the chairs' domain, but I think we're long past
the point of changing the entire scope of this document to incorporate best
practices material of the volume and breadth you're espousing.

-MSK

v2.43.4 | Report a Bug | By Email | System Status