IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

"Murray S. Kucherawy" <superuser@gmail.com> Mon, 20 August 2018 10:28 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA817130EBC for <dmarc@ietfa.amsl.com>; Mon, 20 Aug 2018 03:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0pYneoshZ5lp for <dmarc@ietfa.amsl.com>; Mon, 20 Aug 2018 03:28:44 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82212128BAC for <dmarc@ietf.org>; Mon, 20 Aug 2018 03:28:43 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id u7-v6so11185334lji.3 for <dmarc@ietf.org>; Mon, 20 Aug 2018 03:28:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cvoN4behNjokY7jCOI04eVibZKD9fflnJ0gbkyld5KY=; b=iTG0nBuAt7jE3Q5z7dT5H+2uziTkI/WWdYRMjdCgcwG4te6Ewsv9Y6jytYSEPW5gZw MjeRe4I8f0Zd38/J3QPKQQeAzWymsa6dhz3XnU+6WVoUmu6xb3qjg43Vqf6MkNxXfpZl Wf6xbSySPDs01eKqldM+fzqfzg5TxyGQOZOV+Ge1EfOCOmaCkNlSq2350X8nSkfU62pj I2yXI69Upg7fvCufelrEK0pvLhdwB1UAmGCz1LdEmvE6data6GkdFofvU7xt/TYgfFRh xIbbT4yBxYeBdX41837+pmsXnL7ELt4b9IOyqJeYmBB8Km+9M8xW9LdsIYx+hAOlxIuD iwRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cvoN4behNjokY7jCOI04eVibZKD9fflnJ0gbkyld5KY=; b=BoByvcKslWo9kshm2MLPMkf1ZxsvKx/T8aA5GBIoUFNEXMhleFUYnA37ERMdowb1yq 736mW29QT8iCo0924T9THJAWQbCwp0rHAQbuX1ABdhrBLwNIx79h83KOG/SrlNFMeIqG x0phMqfFE0OMB2wzgekfSVuOts/Ku2vwFyJ72lTcmt42DKoHa5imw8XRv5fRhBkR735s Mmg9iyD019oukcgr3dpXzXI5rEDUhyCgE2puRiDE6I6U4jQe91wx0dylHZfaoDprrVbi CREuOMLYN17IwQPkiK517n/OKp9fbXDSGKL0G3bBzAtpsOG57GUVl6GBt/HQlm1UQm7I UHwQ==
X-Gm-Message-State: AOUpUlEw+qDNWkrHmV1hZKgvM1b9DlIWr68ZK3L9VeE2HAn+S6UFLM7f hCuxzKZHs5ugfedTORI9jTFCoQyfcUXW0HuSFYY=
X-Google-Smtp-Source: AA+uWPxGvIBX5zfZqdJsVaZVYPRxDRes9NzsHwNSK+RkgKce0Clyij6pGCokyb7n9nsSbWVezo99YyIeY3E78+FkwHo=
X-Received: by 2002:a2e:4357:: with SMTP id q84-v6mr14176696lja.13.1534760921661; Mon, 20 Aug 2018 03:28:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a2e:3a13:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 03:28:40 -0700 (PDT)
In-Reply-To: <CAD2i3WNBdG2=uC+mx0uaA7z08V1f5t3qz9VZabL4mFO0ZQn2ng@mail.gmail.com>
References: <CAD2i3WNSe+of7U8fdTnmUeU3sthUbpEVgdYHT9J6BgLxoeOL3w@mail.gmail.com> <20180730221726.713CE200316625@ary.qy> <CAD2i3WMvCugRm4KZeLx3PFb6f_pKR3rs4mnH2FZO4_X7ZA7GHA@mail.gmail.com> <alpine.OSX.2.21.1807302025420.60501@ary.qy> <CABa8R6sWSu9Q+mozxzaVGab3PE2zxqVmt4L6FERSLC1oDTh1oA@mail.gmail.com> <alpine.OSX.2.21.1808031352460.29088@ary.qy> <CABa8R6u_09D9BNiq3fXDXjPVfFeZxHtRa0NyLamKyj033xO72A@mail.gmail.com> <CAD2i3WNJdQ95drzue17UdKEb_6qkN7DuB7WdMbORTSjWGgwJZA@mail.gmail.com> <CABa8R6sgtcAHGt10GQ85PvhYvEZfv1K1SqiFLe7ozWeZ5+Y30A@mail.gmail.com> <CABuGu1rmxMWhUQvzf=uyNVYSb1zGCgWtiak5+yPKaXGWPV4XUg@mail.gmail.com> <CAL0qLwbjpMH30hD8xKnAgT6kJ9wmN9hm3gwnRGmiqTOxKLiHDw@mail.gmail.com> <a6eb3ab9-0e0f-f3e5-9dd0-8d9e992595a0@gmail.com> <CAD2i3WNBdG2=uC+mx0uaA7z08V1f5t3qz9VZabL4mFO0ZQn2ng@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Mon, 20 Aug 2018 03:28:40 -0700
Message-ID: <CAL0qLwZpFGUog9VxxnvwS+gHk9q-tyB85qoNdmQefHO31+SKMg@mail.gmail.com>
To: Seth Blank <seth@sethblank.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008d06010573db5f20"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/SyMe5ocsyb93SrYu_sZq03_9u9Y>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 10:28:46 -0000

(back from vacation and catching up)

On Tue, Aug 14, 2018 at 8:58 PM, Seth Blank <seth@sethblank.com> wrote:

> There are THREE consumers of ARC data (forgive me for the names, they're
> less specific than I'd like):
>
> 1) The ARC Validator. When the Validator sees a cv=fail, processing stops,
> the chain is dead, and shall never be less dead. What is Sealed is
> irrelevant.
>

Right.

2) The Receiver. An initial design decision inherent in the protocol is
> that excess trace information will be collected, as it's unclear what will
> actually be useful to receivers. 11.3.3 calls this out in detail. Without
> Sealing the entire chain when attaching a cv=fail verdict, none of the
> trace information is authenticatable to a receiver (see earlier message in
> this thread as to why), which is the exact opposite of the design decision
> the entire protocol is built on. To guarantee this trace information can be
> authenticated, the Seal that contains cv=fail must include the entire chain
> in its scope. This is where this thread started.
>

I see two possible workflows here:

(1) Verifier (to use the DKIM term) detects "cv=fail" and stops, because
there's nothing more to do.  But the Receiver now has no ARC information
except a raw "cv=fail" to relay via A-R or whatever.  But this, as you
point out, flies in the face of the notion of giving receivers details
about the message.  The Receiver now has to implement ARC to get whatever
details might be prudent from the message.

(2) Verifier sees "cv=fail" but will still attempt to verify it and maybe
extract other salient details to add to an A-R.

When you say "you see cv=fail and stop", I think of the first thing, which
is alarming layer mush, and is also ambiguous in that if the Verifier stops
dead at seeing "cv=fail", it doesn't matter at all what content got sealed.

So if you mean the second thing, part of my issue goes away.

3) The receiver of reports that provide ARC data. For a domain owner to get
> a report with ARC information in it, there needs to be some level of trust
> in the information reported back. When a Chain passes, all the
> intermediaries' header field signatures can be authenticated, and the
> mailflow can be cleanly reported back. When a Chain fails, that is
> important information to a domain owner (where is my mailflow failing me,
> how can I figure this out so I can fix it?). Again, without Sealing over
> the entire Chain when a failure is detected, this information is
> unauthenticatable (and worse, totally forgeable now without even needing a
> valid Chain to replay), and nothing of substance can be reported back.
> Sealing the Chain when a cv=fail is determined blocks forgery as a vector
> to report bogus information, and allows authenticatable information to be
> reported back.
>

I think we're talking about distinct failure modes.  I totally agree with
you in the case where the chain has failed because content was altered.
But doesn't your assertion here presuppose an at least syntactically intact
chain?  If the chain is damaged to the point where it cannot be
deterministically interpreted, the sealer adding the "cv=fail" might add a
seal that a downstream verifier cannot correctly interpret.

I understand what you're after but I also understand the intent behind
5.1.2, which is to produce something unambiguous.  My problem with 5.1.2 as
it stands is that a verifier now has to try verifying the "cv=fail" two
ways (one with everything, one with just the last instance), and at least
one of them has to work.  We've cornered ourselves here by rejecting
"cv=invalid".

>
> And to be even clearer: what is Sealed when cv=fail is reached (itself,
> the entire chain, or nothing at all) DOES NOT AFFECT INTEROPERABILITY. But
> it does effect preserving trace information and preventing forged data from
> being reportable.
>

I disagree, as stated above; a mangled chain cannot be sealed in a way
guaranteed to interoperate.

This is my very strong INDIVIDUAL opinion. But I'm fine if the group sees
> differently, as this could be investigated as part of the experiment (i.e.
> do any of the above points matter in the real world? I say they do, hence
> the strong opinion.). As an editor, I'll make sure whatever the consensus
> of the group is is reflected in the document.
>

I've no objection to collecting superfluous trace information to support
the experiment.  What I'm concerned about is the introduction of weird
protocol artifacts or ambiguities that could get baked in and hard to
remove later.

-MSK

v2.23.0 | Report a Bug | By Email