Re: [dmarc-ietf] Are Evaluators motivated to switch to Tree Walk?
Scott Kitterman <sklist@kitterman.com> Sat, 18 June 2022 13:47 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF3DC15D875 for <dmarc@ietfa.amsl.com>; Sat, 18 Jun 2022 06:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=R/ZswJw+; dkim=pass (2048-bit key) header.d=kitterman.com header.b=mbhEi+zP
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ukWhjhKeo61 for <dmarc@ietfa.amsl.com>; Sat, 18 Jun 2022 06:47:50 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39D1CC15AAE2 for <dmarc@ietf.org>; Sat, 18 Jun 2022 06:47:50 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 1BAA0F802DB for <dmarc@ietf.org>; Sat, 18 Jun 2022 09:47:48 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1655560068; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=GfHUIdNBSP1aKuOBxyyNJ/ubIn5YKQh7XVrS/u2wHYg=; b=R/ZswJw+qaPAoK5bHMNM8TstliLmsiFdhKYmKWZYnA04eFEnjI1QdpSjf11eumIDCK4+2 Sit2ZNK5QQ2W7nLDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1655560068; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=GfHUIdNBSP1aKuOBxyyNJ/ubIn5YKQh7XVrS/u2wHYg=; b=mbhEi+zPpMej+Nx7HmI7rksf0ekAAWepROlWdVLKCVhB271g50c27zfEhZhEGHUjtKT0k G2pO/HCAhwLiGwxiL8IDsvSrmAQfNaRENwCahtrS+h+81Q57E5JZFOXK3VnK62kJ8CNccoX /d5IPxA6w8jATuQxNwFeE5ErEymAZ2OZtEJnbFygY0+ah4ctp2BxV99G0LdcrXy7cW8FoJn id6FsWrCX3lI+evU0F2pgXmAQjG1WqffIxc1gjbGSCHxbsGQxkMiWBin8MIJ1hajt0+psxG ihSzpKRJX6ZP0AtIBUKwqwVBP4+vx3w67jf59vyG72wcPgKJGHpVodGCasWQ==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id F35D2F8020E for <dmarc@ietf.org>; Sat, 18 Jun 2022 09:47:47 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Sat, 18 Jun 2022 09:47:47 -0400
Message-ID: <6179411.nDTXd1jgoo@zini-1880>
In-Reply-To: <CAH48ZfzxqiPQMdRA5SNZOJA2Sd9GsL5dsGdK4aYCHBY4sNmL_Q@mail.gmail.com>
References: <CAH48ZfzxqiPQMdRA5SNZOJA2Sd9GsL5dsGdK4aYCHBY4sNmL_Q@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/R_9bqVqxFSKrV206DszHSNEep04>
Subject: Re: [dmarc-ietf] Are Evaluators motivated to switch to Tree Walk?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jun 2022 13:47:54 -0000
On Saturday, June 18, 2022 8:42:23 AM EDT Douglas Foster wrote:
> Let's talk through the selling process for the Tree Walk algorithm.
...
> In sum, why should an Evaluator make the switch?
I think there are some good points in here. Fundamentally, I agree that there
needs to be a value proposition associated with investing the resources
required to update a DMARC implementation from RFC 7489 to DMARCbis.
I don't think it makes sense to pick apart the document and focus on one
element of the changes in order to determine if that will be supported be
implementers or not. In my experience, engineering organizations don't look
at a specification and assess which pieces of it they want and which ones they
don't. They tend to look at it as a whole, unless there are specific concerns
that need to be addressed.
The code to switch from PSL based organizational domain to tree walk based is
trivial. I think any marginal cost associated with implementing it or not
will be in the noise compared to the overall cost of designing, coding,
testing, and deploying an update from RFC 7489 to DMARCbis.
In the end, as is common in IETF work, it's difficult to forecast how quickly
this will occur. My view is that in the scheme of the overall move to
DMARCbis, the tree walk won't be a big driver, but it does have advantages:
1. Does not use the PSL for something it was not intended for. As has been
mentioned many times, the PSL is designed for browser use cases, not email.
In their words:
It allows browsers to, for example:
Avoid privacy-damaging "supercookies" being set for high-level domain name
suffixes
Highlight the most important part of a domain name in the user interface
Accurately sort history entries by site
This is a big deal in my view. Under RFC 7489 you can either protect your
subdomains against supercookies or have a DMARC policy for them. Not both.
2. It extends DMARC to cover more entities (PSDs) without the need for a
centralized registry (which was the best we came up with for RFC 9091).
The registry is one of the reasons RFC 9091 is experimental. We don't want to
add a single point of failure to the mail system and this was never a great
idea. It was simply the best we could come up with at the time.
3. Under RFC 7489, if a PSD allows cross user forgery so there is a sibling
attack risk that organizational domain owners can't mitigate. With DMARCbis,
organizational domain owners can address this by publishing psd=n.
To the extent cousin domain attacks are a problem, I think the DMARCbis
approach is much better. Under RFC 7489 no domain is more than one PSL update
away from being at risk.
If we do our overall job well, then updating to DMARCbis should be an obvious
choice. My prediction though is that the drivers will ultimately be driven by
business needs. Once there's a large email service solicitation that lists
DMARC using DMARCbis as the reference for the requirement, I expect this will
get more important to service providers.
Scott K
- [dmarc-ietf] Are Evaluators motivated to switch t… Douglas Foster
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Scott Kitterman
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Murray S. Kucherawy
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Scott Kitterman
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Murray S. Kucherawy
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Scott Kitterman
- Re: [dmarc-ietf] Are Evaluators motivated to swit… John Levine
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Murray S. Kucherawy
- Re: [dmarc-ietf] Are Evaluators motivated to swit… John R Levine
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Alessandro Vesely
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Alessandro Vesely
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Douglas Foster
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Scott Kitterman