Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd

Ian Levy <ian.levy@ncsc.gov.uk> Tue, 12 November 2019 14:12 UTC

Return-Path: <ian.levy@ncsc.gov.uk>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB1512004C for <dmarc@ietfa.amsl.com>; Tue, 12 Nov 2019 06:12:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GzkSr1OJQCDf for <dmarc@ietfa.amsl.com>; Tue, 12 Nov 2019 06:12:42 -0800 (PST)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100109.outbound.protection.outlook.com [40.107.10.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC2CF120033 for <dmarc@ietf.org>; Tue, 12 Nov 2019 06:12:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T2L+9yJ5v1KQ4DP62rT4x0r9Ec2o41OACaTuyFDUXHIZpsyyE583Jjnwx/mSOPoVdA9OFy82NiA2qALzNUKpFu9ADjanwY+70vBvgKO9Ie2kMgw+HVWnNbh3BuJoCgpZh1ZZ0FbVU/l671Uo58PqknQEuMV/KBsO8vf8j6dcJbl/CeWD/gifOOToexYhjQPkPZ4T7w8c2FKfBZMTdJmnLiCVRZGYPkt382iFHZgLRu3jQmL2oYOG9Lu8M1sJDO1rW4XzHV65J0yk7C5I+EXa0iyeUdfxSnJ/78X18EnoaH+2hRHNtv0hp5DsF/cLIK++XmRj214HOvAbDvijKuxD1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=72/SfEBnHJJ7jH3BQZMrtAwe/gP05Ztp705PETtZt8Q=; b=dE5WL2m7RGv1oVcmH62Gt6PK8+I8hLSnPlzvooci59sFgv3sZ1m8mhzZfHlGB2U8An3e9dxejqhIRMxYo6ZGXNcKDtC/q+iHUrsB7VCiMST1PrSrwKLhGGT6HCZVqBQouNQe/Iev8spL+Mj3bTLDB6sHNvLOg1LXABadjodt4UoOqju1GxMLsWufuMKKUllHDsJBESIN59FqdQk5INUGsWVuA9ngOKmqGYk9/Sz/fnMcGtsfwBMvcsvO5yISENO/87W0eFFLkTaMK44TgsMYoNgM2ffXcS9Ew09oS7UpK9hv5s54+UpwHTK3xr/KDhq+8GthapeGGrtkwW7HorZg4Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=72/SfEBnHJJ7jH3BQZMrtAwe/gP05Ztp705PETtZt8Q=; b=I3V5hktmpjlfulAuF4IzxtV/7dTdaZ47BzSzpz0DucsTU7D+hS8UTLzIECKwtGdu4k6UfVZZJo3nzhzACh3o89VKo8iig4rMSVg7HhIVKOFjVvXN/YVOHwgObL2nXnQAitm+x3ySv4qH973xqvc+iB42EtpQwmafYgJh0e/dygI=
Received: from LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM (20.176.157.151) by LO2P123MB1952.GBRP123.PROD.OUTLOOK.COM (20.176.156.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.25; Tue, 12 Nov 2019 14:12:39 +0000
Received: from LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM ([fe80::55de:86ea:53e9:92ef]) by LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM ([fe80::55de:86ea:53e9:92ef%6]) with mapi id 15.20.2430.027; Tue, 12 Nov 2019 14:12:39 +0000
From: Ian Levy <ian.levy@ncsc.gov.uk>
To: Alessandro Vesely <vesely@tana.it>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
Thread-Index: AQHVUkRUHW06UOOZ+kq6kqLLLMMrLqcaPC6AgANurWOAaHWPgIAADzIAgAAY2wCAAGFPgIAAIrUAgADa9BKAABcLAIAAYgkQ
Date: Tue, 12 Nov 2019 14:12:39 +0000
Message-ID: <LO2P123MB228537A57D6DDB50887EE0ECC9770@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
References: <728d7df1-d563-82f4-bfb3-a65a75fdd662@gmail.com> <CAL0qLwacbAT04tckpPcRcnOt=1QByOBeJ7uDf6rNK6NRwtxZYg@mail.gmail.com> <ffa2bf72-3024-237b-86ae-9cc04babeec6@gmail.com> <74a0ea49-7a46-4eb6-c297-cd703f63bd1b@gmail.com> <CAL0qLwbp2hNrgF_xxhKRRODQ6HP=U5_K-r3Wtm1wJZOZcKup3g@mail.gmail.com> <9DE9E7DC-FE60-4952-8595-B2D087A6B780@kitterman.com> <CADyWQ+GSP0K=Ci22ouE6AvdqCDGgUAg3jZHBOg3EwCmw=QG84A@mail.gmail.com> <CABuGu1obn55Y2=CuEYRYCEO3TYYNhYTsdkesQ67O61jRyfO=wA@mail.gmail.com> <59947cf1-1851-af56-536e-f78530e79dd2@tana.it> <LO2P123MB2285B674B32C689CE2C1455DC9770@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM> <f098ff76-ea8d-3b8e-8110-dcb41459acc0@tana.it>
In-Reply-To: <f098ff76-ea8d-3b8e-8110-dcb41459acc0@tana.it>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.levy@ncsc.gov.uk;
x-originating-ip: [51.140.78.31]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5fd1cb0d-1289-46e4-36f9-08d7677a6018
x-ms-traffictypediagnostic: LO2P123MB1952:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <LO2P123MB19528A96B080DBF949459BA4C9770@LO2P123MB1952.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 021975AE46
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(346002)(136003)(396003)(39850400004)(366004)(376002)(189003)(199004)(13464003)(74316002)(9686003)(8936002)(6116002)(25786009)(3846002)(6246003)(305945005)(966005)(7736002)(26005)(53546011)(478600001)(45080400002)(6306002)(55016002)(2501003)(66066001)(14454004)(6436002)(66574012)(55236004)(6506007)(86362001)(81156014)(7696005)(486006)(186003)(44832011)(99286004)(5660300002)(476003)(102836004)(316002)(229853002)(8676002)(76176011)(71190400001)(71200400001)(33656002)(52536014)(11346002)(66946007)(14444005)(66476007)(66556008)(64756008)(66446008)(2906002)(256004)(81166006)(76116006)(110136005)(446003); DIR:OUT; SFP:1102; SCL:1; SRVR:LO2P123MB1952; H:LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ebELZKRx/j1Y1ysrl19NkI6xw31BAlNTHqtBDagpdT4d/AR5yrbIdZitDT5V4ag5TBy4h+onhf2Sr8V0iYccS9PTDPrkNVohAQxzF5RB+IM1DMwVNFFxrGvMUQ9MNpOwu7BbYaCywo2YM6s00XngbG3C2aguVBQ5WoNmws/wypyobjgN06ONHOovyP8/qiX0DWUIrtxNuqbMMhNzfXuJEpyk/T8nGxzG5iLxHca55rV15ZOG5GyHFgYxsFnU/mq1ay1qt3WVBczRrf3WfkMPrqIB1Pb06rS1QK1VJkzVfQVU4FAp1AB6TMCuEXyISiQ7cPpBCGXs758N4iWWWvaBqxhgAE8RdZF2Wf9bY0G7KHm67jTYTlETmOMCQvps1C+XDzB9Vi+N39kfPExihehha1mSzYWEs8Pn7DfM8KXnSjb7CBxgiOfWb1BKKVzvYwT06r1K8GgZh7xvmyK14+WyuTKLCcSC7qfAWXd9mu8STps=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 5fd1cb0d-1289-46e4-36f9-08d7677a6018
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2019 14:12:39.0945 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xnc9c4xh+t//3Wimi17uLPcUocizAHwqyjZt+XcNSx8Zanh8/QA8Qq+dYJIFxidS5Pjqs+O2CDJRvB7tzJ+qeQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB1952
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/SoJM8gNulOXGc0uZ_Aw1gZIiBBY>
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 14:12:44 -0000

> Let me pinpoint that the hack you talk about is the use of wildcards, which Scott's draft tries to fix with the np= tag.  That's a protocol issue.

Fair point. I was only trying to make sure that people don’t take wildcards as a long term solution to this problem. In our experience, they're not. 

> At a PSO level, someone decided that gov.uk can publish TXT records which may affect all of the downward tree --solved.  

That was me. Still don't agree that the problem is 'solved', but I may just be being a pedant :-).

> The bank PSO cannot do that, and we (the WG) look forward to ICANN allowing it --not yet solved.  

Agreed. 

> I hope I've now clarified what I mean by "ICANN problem".

Yes, thanks. I think we can, as the WG, do something - and that's to make known to ICANN the problem we believe exists and how their current policy could be amended (safely) to help fix it. We'll certainly do that, but I know our voice is not strong. Consistent messaging from people on this group would help, I believe. 

Ta.

I.

--
Dr Ian Levy
Technical Director
National Cyber Security Centre
ian@ncsc.gov.uk

Staff Officer : Kate Atkins, kate.a@ncsc.gov.uk

(I work stupid hours and weird times – that doesn’t mean you have to. If this arrives outside your normal working hours, don’t feel compelled to respond immediately!)

-----Original Message-----
From: dmarc <dmarc-bounces@ietf.org>; On Behalf Of Alessandro Vesely
Sent: 12 November 2019 08:17
To: dmarc@ietf.org
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd

On Tue 12/Nov/2019 07:59:09 +0100 Ian Levy wrote:
>> while _dmarc.gov.uk returns a valid record. The latter is a Nominet, 
>> already solved problem, AFAICS.>
> I can speak authoritatively about this. What we’ve got is an evil, 
> hacky kludge that has some weird side effects (since we respond to 
> *any* non existent sub domain, not just DMARC and SPF related ones). 
> It’s just about passable as an interim, but we believe we need a 
> better, targeted solution along the lines of Scott’s draft.

Thank you for chiming in.  Let me pinpoint that the hack you talk about is the use of wildcards, which Scott's draft tries to fix with the np= tag.  That's a protocol issue.

At a PSO level, someone decided that gov.uk can publish TXT records which may affect all of the downward tree --solved.  The bank PSO cannot do that, and we (the WG) look forward to ICANN allowing it --not yet solved.  The com PSO cannot do it either, but I'd guess lots of people trust that ICANN will never allow it.

I hope I've now clarified what I mean by "ICANN problem".  Scott's draft cannot solve it, albeit it nearly touches on the point at the end of the intro.  It is not a protocol problem.  It involves PSO-registrants agreements, and ICANN managing that stuff.  There is not much we (the WG) can do, except hoping that ICANN may consider protocol factors when making decisions.  As an Internet user, I'd welcome diversity among TLDs, as numerousness without diversity becomes just annoying.


Best
Ale
--


















_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdmarc&amp;data=02%7C01%7Cian.levy%40ncsc.gov.uk%7Cf21cf2f2ad5f40c6740208d76748ae44%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637091434175522175&amp;sdata=EZCj0S7gpioXC1UWsJ%2B8wsU8D1%2FPdtA2FZGBn84vj%2BQ%3D&amp;reserved=0
This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright ©