IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

"Murray S. Kucherawy" <superuser@gmail.com> Thu, 29 June 2023 05:25 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 118B4C15108F for <dmarc@ietfa.amsl.com>; Wed, 28 Jun 2023 22:25:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vcMb9ItwV08p for <dmarc@ietfa.amsl.com>; Wed, 28 Jun 2023 22:25:50 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 862BCC15108C for <dmarc@ietf.org>; Wed, 28 Jun 2023 22:25:50 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-98502b12fd4so7346766b.1 for <dmarc@ietf.org>; Wed, 28 Jun 2023 22:25:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688016349; x=1690608349; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vRlOr5tcwBXlTCJtVs3ZrVMBH/GqzLw009pqzBWcfe4=; b=GhHhc19XjABRuTrQJ7GbVJBN/fpUsjrlQQ3QlDCEHCCChhnCPN7kWU7s+5wtt/PcAZ hDugIi69nBuqEMpa1ahax4gDBMebyMMJ2vBZadnl6B7ue5Sqrs2+3igZrCqZ91nBAG2v LsglTwCf4bd9rXIcfR0ZZO4evuBkKTy9Ag5pULRFBGWwfeahKxgpqrRbC+QCLqT9hKO8 37tzXCcqkYX2oVXr2RqhZeoOPszuU4mxILTrJDJjpxm9PAer/nwipprTAMArjvHv+1/i YJfYGTCZlg81dWyZOUZxscfAZLCip+zyxTvJ6rXPhacUpm1ADSkD9K4XhEHRMXBlXRR0 qxwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688016349; x=1690608349; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vRlOr5tcwBXlTCJtVs3ZrVMBH/GqzLw009pqzBWcfe4=; b=Q14pHKIDNzJkLFe2WD3XJT8NdffE3/sQF+NysWk4Vve0Za9Olo+TAI5JvoU4PPtZ/q yMszVPwN1CVgHmYxEaQdpLykfZx/7dExi6IzGipLhBF83bNgmqSW2aEQV+DRLmK/UStq hGE2C23IbwZkwy4YGJqtcw5nONbGc7mAioybwf3Tjd5/mfYL01VNE4IV3ykRxdOJdnVl HQd4MbTDCkrJqP40/QhFMC7oHuILE3Ho0b6e70iKgkVHZSPKZHW2GWgq5ykfS8s68uN1 +J3IuK2UrablbUzbfZ5+NzaN6MY/kywL4gDft7Lq3+MXwKnaRbExWct+H4D8n026uWrZ xWDA==
X-Gm-Message-State: AC+VfDwyVBrqqVE546gjrIRIheOkqhFMqo/fFihFAAZMCReqdiNML/bM Ahyq03N3kXr7ZZ7ecK8CFb6uB8MBh/Y4Gu3byJD+jKn6
X-Google-Smtp-Source: ACHHUZ6TwmXX/GGX1VllV7LflLdQugBdqTGvTADQf0YmOQOCfekjWlUwZtWKzTc0AJBXP3rngcJcX3tY7oT8IFojFNM=
X-Received: by 2002:a17:906:72cd:b0:988:f9ba:e18d with SMTP id m13-20020a17090672cd00b00988f9bae18dmr1284919ejl.6.1688016348466; Wed, 28 Jun 2023 22:25:48 -0700 (PDT)
MIME-Version: 1.0
References: <20230623021810.E5F8DF9B3B94@ary.qy> <6495D504.4090809@isdg.net> <839aa10b-f7fa-c7a2-76db-6441189afca2@dusatko.org> <CALaySJ+gcVvpzJcrpUbOkOvjUFAhzw=pZovpZC7BhW_x7VW7nA@mail.gmail.com> <CAL0qLwasxzqJt7Hr7gZd86C=ivCrDUci_i6pkJJUTnqzL1pHMA@mail.gmail.com> <CALaySJ+gjR6D-OSE_07iSH2zXa7wypUQwPN1cL-1s+NC2S4L8g@mail.gmail.com> <99e1ef2d-053b-8cfe-f369-fa8475d142ae@tana.it> <CALaySJKZoAPTT-+cZEww+y2eUsDbNXcybb=Z7RxNLyfzPMr7ng@mail.gmail.com> <d3986316-02f9-9d73-be81-37af7cfd40a7@tana.it> <CALaySJLtUtKNtP4__pOryFLaAODjiEx-nbdvF9tL6wYhcRCe_g@mail.gmail.com> <877A1137-3A55-424A-A9C5-FCCA4F2D5436@kitterman.com> <CAH48Zfyp1CvKLaGvYp0eC=E3hG7GU-T2YGR+H64GMzSNjM3AAA@mail.gmail.com>
In-Reply-To: <CAH48Zfyp1CvKLaGvYp0eC=E3hG7GU-T2YGR+H64GMzSNjM3AAA@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Wed, 28 Jun 2023 22:25:36 -0700
Message-ID: <CAL0qLwbRe8LRx7PupT9=FYBbGd1s4y8BnU3iD2eLR8rB7Gdbig@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d3518205ff3dee70"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/SHh_9H3w8H8xlDlvONqcSdENj3s>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2023 05:25:51 -0000

On Wed, Jun 28, 2023 at 5:50 PM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> We are talking about SPF AND DKIM because of the problems with DKIM
> replay.   Can someone summarize the state of the DKIM update options that
> have been ruled in or ruled out?
>

There's a document over in that working group that takes a run at doing so.

I'm worried about the complexity and assumptions in the proposal that
follows:

Given a received sequence of
>
>    - Msg Date
>    - Rcv Date 1
>    - Rcv Date 2
>    - ....
>    - Rcv Date N
>
> A signature should have a start time between one of these date boundaries.
>

There's no reason to trust the dates, IP addresses, or any other detail in
these header fields beyond infrequent manual diagnostic efforts.  They are
trivially forged and rarely signed.   You definitely should not attempt to
couple anything you infer from them with the semantics of a passing
cryptographic signature.

The first global IP after the signature server becomes the perimeter server
> which must demonstrate that it's domain has the right to act on behalf of
> the signing domain.
>

That sounds like the very definition of SPF.

By "global" I presume you mean "publicly routed".  Do we really want to
start teaching mail software how to determine which IP addresses are
publicly routed?  It's not as simple as the RFC 1918 question.

Improvements within control of the signing server:
>
> If the message is not created by the originating server, the message
> should contain one or more Received headers.   The header list on the
> signature should contain "Received" entries to match the number of Received
> headers at the time of signing.   This further identifies the signature's
> position in the Received chain.
>

The original DKIM RFC (RFC 4871) specified a list of header fields that
SHOULD and SHOULD NOT be signed, and Received was in the latter group.
It's common for Received fields to be stripped when they depart a domain in
order to conceal the topology within that domain.  Less commonly, they can
get reordered, edited, or re-wrapped.  Any of those would break the
signature if it covered them.

RFC 6376, the standard, dropped the SHOULD and SHOULD NOT, but still
discourages paying any attention to Received when signing.


> Improvements requiring changes to the DKIM specification
>
> They could identify a way to document the signing server's domain in the
> signature.
>

Isn't that the "d=" tag?

-MSK, participating

v2.23.0 | Report a Bug | By Email