[dmarc-ietf] Two basic Issues to address to help complete DMARCbis
Hector Santos <hsantos@isdg.net> Sun, 23 April 2023 17:20 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D741CC151B19 for <dmarc@ietfa.amsl.com>; Sun, 23 Apr 2023 10:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxkAUnCJuILG for <dmarc@ietfa.amsl.com>; Sun, 23 Apr 2023 10:20:12 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3602C14CF1B for <dmarc@ietf.org>; Sun, 23 Apr 2023 10:20:11 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=3159; t=1682270407; atps=ietf.org; atpsh=sha1; h=Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=9cVrCZYHPpIxIGlqixm3D+d4psnj9mfudc1Qme/h6P8=; b=UTxR /siinX23WhyGULtQ8IHWu0DuW2fpqPr4ooAq///H4VL/STHXL0MX7STACcP+Vzoq YdXCOUuNr22RYDAc0zvPPoQ+0YKjvH4jw2fav+1UTNH8iWEuGS0GWEV0iNf8+hUa EYYVbjAzJ3F0hRHSRD7Ijq1SXRPKjjZem+nMemU=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Sun, 23 Apr 2023 13:20:07 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 2663190332.1.5624; Sun, 23 Apr 2023 13:20:06 -0400
Message-ID: <644568C6.4000407@isdg.net>
Date: Sun, 23 Apr 2023 13:20:06 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <0abf9711-ca1c-bfcf-afb2-15e16b9de149@tana.it> <20230420153727.DB568C106CE9@ary.qy> <CAJ4XoYeyoOYeXW1QN+yeMbxt4SF7Kn2Xi=FP7VmX4MhKiDi9hQ@mail.gmail.com> <C3D9E708-EDC7-43BC-AE5E-DF4FFAECCC2B@kitterman.com> <7e2ae4c0-6ebf-4539-55b9-e5d85765a024@tana.it> <185759A8-10CD-40F8-89C8-FE774B077F52@kitterman.com> <a31a3a91-1fe1-40b0-ae4c-0e76520e722c@tana.it>
In-Reply-To: <a31a3a91-1fe1-40b0-ae4c-0e76520e722c@tana.it>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Td3iBmpY-q7vSicpnjE0h-L33xI>
Subject: [dmarc-ietf] Two basic Issues to address to help complete DMARCbis
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Apr 2023 17:20:16 -0000
On 4/23/2023 6:10 AM, Alessandro Vesely wrote: > > Meanwhile, digressions about ATPS and similar schemes can help > casting some light on future evolution. From: rewriting cannot be > the final solution; it is a temporary hack. Digressions don't slow > down the publication, as discussions about actual text quickly > prevail. They are just a mean to help convergence toward a common > vision of the future. With each year, that "temporary hack" becomes the new normal and it will be harder to clean up. It is not the right way and I don't its too late to reverse. However, it has been 17 years and DMARCbis is not finished without some clean up in this area. First, Section 4.4.3 should have text on using extended tag methods to provide 3rd party authorization methods. Just add the RFC 6541 abstract or version of it: ATPS [RFC6541] is an experimental specification proposed which adds a extended tag "atps=" allowing advertisement of third-party signature authorizations that are to be interpreted as equivalent to a signature added by the administrative domain of the message's author. ATPS was designed for ADSP. There is interest to apply this tag to DMARC to help deal with unchecked but authorized resigners false positives. Second, there are possible outcomes with members using restrictive domains: 1) Legacy MLS/MLM, unaware of protocol, unchanged author domain, submission mail integrity is broken due to long time practice of body and subject changes, can cause members of a list to be auto-unsubscribed when their receivers begin to honor p=reject and reject mail integrity DKIM failures. 2) Protocol Awareness, honoring the policy, constraining subscription and submissions to unsecured submissions. Restrictive domains not acceptable for list submissions. Note: It is possible to allow a Read-Only List Member concept. 3) Protocol Awareness, not honoring policy and tearing down the author security, replacing with unsecured distribution. The correct way for any protocol is to close security loopholes. In this case, recommend #2 using Subscription and Submission controls. Let the author domain figure it out. DMARCbis MUST recognize if the intent of the domain is to clean up their brand, by implementing hard failure rejects at both SPF and DMARC, then it should recommend handlers SHOULD honor the policy of the domain or be prepared for the possible false positives. I can understand why DMARCbis's editor does not want to document rewrite, but imto, can't be ignored anymore. The details of a rewrite can be quickly outlined. To help the RFC process, maybe DMARCbis could refer to the Functional Specifications of SSP (RFC5016) Section 5.3, Item 10 which basically reinforces the idea that local policy ALWAYS prevails and it is quite possible there will be undesirable tearing down of secured submissions. One possible mitigation is to replaced it with a secured rewriter with a p=reject policy. I don't think the above will take long to do and I believe will help resolve the conflict. -- Hector Santos, https://santronics.com https://winserver.com
- [dmarc-ietf] Is From spoofing an interoperability… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Dotzero
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Douglas Foster
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Dotzero
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Jesse Thompson
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Jesse Thompson
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Douglas Foster
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Dotzero
- [dmarc-ietf] About UAID User Agent Identity. Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- [dmarc-ietf] Two basic Issues to address to help … Hector Santos
- Re: [dmarc-ietf] Two basic Issues to address to h… Dotzero
- Re: [dmarc-ietf] Two basic Issues to address to h… Hector Santos
- Re: [dmarc-ietf] Two basic Issues to address to h… Alessandro Vesely
- Re: [dmarc-ietf] Two basic Issues to address to h… Hector Santos