IETF Logo Mail Archive

Re: [dmarc-ietf] Third party signatures

Wei Chuang <weihaw@google.com> Tue, 02 May 2023 16:01 UTC

Return-Path: <weihaw@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9E17C13AE2C for <dmarc@ietfa.amsl.com>; Tue, 2 May 2023 09:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -22.595
X-Spam-Level:
X-Spam-Status: No, score=-22.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, MARKETING_PARTNERS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IjRYH9KX7rWq for <dmarc@ietfa.amsl.com>; Tue, 2 May 2023 09:00:59 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAA6FC15C528 for <dmarc@ietf.org>; Tue, 2 May 2023 09:00:59 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-50694c0b5c2so1a12.0 for <dmarc@ietf.org>; Tue, 02 May 2023 09:00:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1683043258; x=1685635258; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4rl7+mSIh4rhRp47u449Ix7/B17IezlJymnw+vgdD38=; b=lr7+T6jpE1uJ95brGU6ldhvXd7siNIdteKTzHP04+AEZise+LWSZt9OH10EGabHzoA jweftIfXRax0fggEr2IYRXiD4TSLG26+R5+Sf1PJP1IuWrulFv8IzQxWiJEoz3J1/pYe hv1wyGJuw4fEU1itLiDE9REl3oiCE+QnMsVquOq9UWB6WvwKxKTDlrWXhRCZ7tnXvENs DjtK55GEroddmV2lWW7IHuwHnD1trOaw9XIiszzOrVx3SF7jmELFpB+eNE9VXsFF7QUS lqpifBYx8Sc/qqRBxXoZPyFfv7gxM1RuIR6jedYboRzCIklV5pY3vkTpUU9YOmTwdRxM 6Ybg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683043258; x=1685635258; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4rl7+mSIh4rhRp47u449Ix7/B17IezlJymnw+vgdD38=; b=LMeP24TqUoAtp1b47yO95PJcvI0NtUZsmWLUbojBXDfHrDgu9CFN1ZzwtBzG4+a5jL o5Hu96DBdCgMpOjSXWHysyx1Hna2d0lBtGX5MKVTmjO9JmCrz2uHYL34wLaBNBEketeN Sb2JuYo0LbADXJVaqsWLid0tzpHIZ7cEStcgULbIXQvBSkPWBcN0uWxtR5oIUHGfybsK QedPHPvYkmLuxu0LXztQO4GYTsSArxKKh2yje0ATqKbpaJ2MngWryIANfCveIX3mjR4N khfaYMHyE3OTfcsbIErbK2goJK9q61L9wI2wA43Vm2FpQkLlXbrXx7C8eN4fnIq74VS9 d5PA==
X-Gm-Message-State: AC+VfDze2DiyMHHp2cb/cjjagPdaqhHxffZgjAsH0fzdnWGzplu0LXKt uxDEm0cdSixGyEczUOY+5nHSAB4docnZRRdya6yohB6MFQupdWuXbjWHNg==
X-Google-Smtp-Source: ACHHUZ4IXm2zGwLn2y7x2E8r/A+WmAr4pxtDjkN4fZrPVzzjK29bI4S9JZCsIwdq5GLfEdQGlDrgcHOWNVvcgyhqxkU=
X-Received: by 2002:a05:6402:4404:b0:50b:c2b9:3992 with SMTP id y4-20020a056402440400b0050bc2b93992mr188eda.2.1683043256718; Tue, 02 May 2023 09:00:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwa9DoTCVCOOgrB1NySd2-aE-5wVSGsLNh=8k7xwDLgrTw@mail.gmail.com>
In-Reply-To: <CAL0qLwa9DoTCVCOOgrB1NySd2-aE-5wVSGsLNh=8k7xwDLgrTw@mail.gmail.com>
From: Wei Chuang <weihaw@google.com>
Date: Tue, 02 May 2023 09:00:39 -0700
Message-ID: <CAAFsWK25X=ejnGP1xwyFrek3kGubexyyuH1jVgYr43wdRX-rJQ@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000008ed1af05fab80bf3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/TGpGmQ8-TIEZkMtxEyL9cQp_jsM>
Subject: Re: [dmarc-ietf] Third party signatures
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2023 16:01:00 -0000

On Mon, May 1, 2023 at 8:23 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> Some thoughts about the third party signature discussion that happened
> over the last couple of weeks while I was away:
>
> I wrote ATPS as an experiment in 2012.  At the time we were still
> finishing DKIM (RFC 6376 was only five months earlier), and still talking
> about whether a third party signing solution was even possible.  Doug Otis
> had a similar "TPA" draft out at the time, but neither of us were getting
> any traction from the working group.  The community was quite dubious that
> the general idea could work, and TPA had a lot of complexity to it that I
> thought we could do without (or, at least, if we did need it, we could add
> it in later).  Since I had an open source platform to play with, I decided
> to implement something, include it in the platform, ship it, and see what
> happens.  I managed to get an AD to sponsor what became RFC 6541 to
> encourage other implementations to try it.
>
> In the years that followed, I think I only ever saw one consumer of that
> platform, other than me, enable the ATPS feature and try it out.  I know of
> only Hector's code as another implementation.  There have been claims that
> it was not "marketed" well, but I never saw any of this as something in
> need of marketing.  If it's a feature people needed, they would ask for it
> and turn it on, and we would hear that it solved a problem.  It wasn't hard
> to configure.  To me, that doesn't say we did a poor job of "marketing" it,
> but more that a path to its success wasn't clear in the contexts where we
> really needed it.
>
> There are two main reasons I can see for this, as both an implementer and
> a consumer of this stuff, when it comes to mailing lists and the DMARC
> problem:
>
> (1) Scale.  For mailing lists, ATPS only works if you list in your DNS all
> other domains that run lists to which your users subscribe.  If you have a
> handful of users, you might be able to work this out.  If you have a GMail
> number of users, you now have giant problems of user support and keeping
> that list current: "You mean I have to register every domain where I join a
> list?  This sucks!"  "I forgot to de-register a domain years ago, sorry.
> (And now that domain is still an authorized third party.)" "I typed the
> domain name wrong, how come it doesn't work?"  "Why can't you auto-detect
> all of this?"
>
> (2) Security.  ATPS doesn't specify what stuff the third party will
> generate as you.  That third party now, practically, has one of your
> signing keys.  Suppose you decide you trust the domain owner; do you trust
> the list?  If you declare through ATPS that you trust ietf.org, and the
> list server here doesn't validate mail at ingress, then I can send
> unauthenticated mail through the list as you and it'll be as valid as if
> you signed it yourself.  That might be OK for a marketing partner you're
> paying, but it's not awesome for free mailing lists.
>

Just wanted to voice agreement on both key points.


>
> So I don't think it really helps us here, at least not in its current
> form.  Unless I've misunderstood the proposal, amending ATPS to be a
> per-user thing only trades some of the second problem for more of the first
> problem.
>
> And I think the conditional signatures ideas suffer from the same two
> issues I identified above.
>
> I also have a vague inkling that we shouldn't be talking about ATPS in a
> DMARC document because that's a layering violation, in the sense that DMARC
> is built atop DKIM and SPF, and ATPS augments DKIM.  We might get away with
> saying something like "You ought to consider things that make DKIM more
> list-tolerant", but forcing people to undertake all the DNS and user work
> that ATPS entails drags a lot of stuff into DMARC that we probably don't
> want.
>
> Personally, I think the DKIM transforms drafts stand a better chance of
> success.  They need implementation and integration with a willing MLM, and
> some experimental deployments, to see for sure.  The notion of DKIM
> transforms is also a long shot because of the complexity with which lists
> modify messages.
>

Also agreement in these points.

One possible way to understand this space might be to create a table on
trust relationships.  For example, an enterprise domain conceptually might
be willing to have an outbound gateway sign on its behalf or be willing to
delegate via something like ATPS.  Potentially there might be a similar
relationship for ESPs and their customers.  Other senders will have a
much more restrictive trust relationship.  And this is all in the abstract
as others on this list understand outbound gateway and ESPs understand
their respective members of the mailflow better than I do.

As for DKIM transforms, I just wanted to suggest that this ought to be
future work for DKIM WG.

-Wei


>
> This is not me saying we should pivot to work on these other things, at
> least not right now.  I'm just skeptical that ATPS as defined can solve our
> problem.
>
> -MSK, participating
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email