Re: [dmarc-ietf] Are Evaluators motivated to switch to Tree Walk?
Scott Kitterman <sklist@kitterman.com> Sat, 18 June 2022 13:47 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF3DC15D875 for <dmarc@ietfa.amsl.com>; Sat, 18 Jun 2022 06:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=R/ZswJw+; dkim=pass (2048-bit key) header.d=kitterman.com header.b=mbhEi+zP
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ukWhjhKeo61 for <dmarc@ietfa.amsl.com>; Sat, 18 Jun 2022 06:47:50 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39D1CC15AAE2 for <dmarc@ietf.org>; Sat, 18 Jun 2022 06:47:50 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 1BAA0F802DB for <dmarc@ietf.org>; Sat, 18 Jun 2022 09:47:48 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1655560068; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=GfHUIdNBSP1aKuOBxyyNJ/ubIn5YKQh7XVrS/u2wHYg=; b=R/ZswJw+qaPAoK5bHMNM8TstliLmsiFdhKYmKWZYnA04eFEnjI1QdpSjf11eumIDCK4+2 Sit2ZNK5QQ2W7nLDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1655560068; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=GfHUIdNBSP1aKuOBxyyNJ/ubIn5YKQh7XVrS/u2wHYg=; b=mbhEi+zPpMej+Nx7HmI7rksf0ekAAWepROlWdVLKCVhB271g50c27zfEhZhEGHUjtKT0k G2pO/HCAhwLiGwxiL8IDsvSrmAQfNaRENwCahtrS+h+81Q57E5JZFOXK3VnK62kJ8CNccoX /d5IPxA6w8jATuQxNwFeE5ErEymAZ2OZtEJnbFygY0+ah4ctp2BxV99G0LdcrXy7cW8FoJn id6FsWrCX3lI+evU0F2pgXmAQjG1WqffIxc1gjbGSCHxbsGQxkMiWBin8MIJ1hajt0+psxG ihSzpKRJX6ZP0AtIBUKwqwVBP4+vx3w67jf59vyG72wcPgKJGHpVodGCasWQ==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id F35D2F8020E for <dmarc@ietf.org>; Sat, 18 Jun 2022 09:47:47 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Sat, 18 Jun 2022 09:47:47 -0400
Message-ID: <6179411.nDTXd1jgoo@zini-1880>
In-Reply-To: <CAH48ZfzxqiPQMdRA5SNZOJA2Sd9GsL5dsGdK4aYCHBY4sNmL_Q@mail.gmail.com>
References: <CAH48ZfzxqiPQMdRA5SNZOJA2Sd9GsL5dsGdK4aYCHBY4sNmL_Q@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/R_9bqVqxFSKrV206DszHSNEep04>
Subject: Re: [dmarc-ietf] Are Evaluators motivated to switch to Tree Walk?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jun 2022 13:47:54 -0000
On Saturday, June 18, 2022 8:42:23 AM EDT Douglas Foster wrote: > Let's talk through the selling process for the Tree Walk algorithm. ... > In sum, why should an Evaluator make the switch? I think there are some good points in here. Fundamentally, I agree that there needs to be a value proposition associated with investing the resources required to update a DMARC implementation from RFC 7489 to DMARCbis. I don't think it makes sense to pick apart the document and focus on one element of the changes in order to determine if that will be supported be implementers or not. In my experience, engineering organizations don't look at a specification and assess which pieces of it they want and which ones they don't. They tend to look at it as a whole, unless there are specific concerns that need to be addressed. The code to switch from PSL based organizational domain to tree walk based is trivial. I think any marginal cost associated with implementing it or not will be in the noise compared to the overall cost of designing, coding, testing, and deploying an update from RFC 7489 to DMARCbis. In the end, as is common in IETF work, it's difficult to forecast how quickly this will occur. My view is that in the scheme of the overall move to DMARCbis, the tree walk won't be a big driver, but it does have advantages: 1. Does not use the PSL for something it was not intended for. As has been mentioned many times, the PSL is designed for browser use cases, not email. In their words: It allows browsers to, for example: Avoid privacy-damaging "supercookies" being set for high-level domain name suffixes Highlight the most important part of a domain name in the user interface Accurately sort history entries by site This is a big deal in my view. Under RFC 7489 you can either protect your subdomains against supercookies or have a DMARC policy for them. Not both. 2. It extends DMARC to cover more entities (PSDs) without the need for a centralized registry (which was the best we came up with for RFC 9091). The registry is one of the reasons RFC 9091 is experimental. We don't want to add a single point of failure to the mail system and this was never a great idea. It was simply the best we could come up with at the time. 3. Under RFC 7489, if a PSD allows cross user forgery so there is a sibling attack risk that organizational domain owners can't mitigate. With DMARCbis, organizational domain owners can address this by publishing psd=n. To the extent cousin domain attacks are a problem, I think the DMARCbis approach is much better. Under RFC 7489 no domain is more than one PSL update away from being at risk. If we do our overall job well, then updating to DMARCbis should be an obvious choice. My prediction though is that the drivers will ultimately be driven by business needs. Once there's a large email service solicitation that lists DMARC using DMARCbis as the reference for the requirement, I expect this will get more important to service providers. Scott K
- [dmarc-ietf] Are Evaluators motivated to switch t… Douglas Foster
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Scott Kitterman
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Murray S. Kucherawy
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Scott Kitterman
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Murray S. Kucherawy
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Scott Kitterman
- Re: [dmarc-ietf] Are Evaluators motivated to swit… John Levine
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Murray S. Kucherawy
- Re: [dmarc-ietf] Are Evaluators motivated to swit… John R Levine
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Alessandro Vesely
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Alessandro Vesely
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Douglas Foster
- Re: [dmarc-ietf] Are Evaluators motivated to swit… Scott Kitterman