IETF Logo Mail Archive

Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations

Dave Crocker <dcrocker@gmail.com> Sun, 19 July 2020 18:33 UTC

Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40B253A08ED for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 11:33:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hS2FRdB4vVtH for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 11:33:50 -0700 (PDT)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DBEC3A08EC for <dmarc@ietf.org>; Sun, 19 Jul 2020 11:33:50 -0700 (PDT)
Received: by mail-oi1-x22a.google.com with SMTP id e4so12663784oib.1 for <dmarc@ietf.org>; Sun, 19 Jul 2020 11:33:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=frtl2LCo0qOmUMRlRdjdbwM165al3u3NG9UH+jMbLIE=; b=nyOCfVeXnlT8oc9mvU9H6NRB1wX8h9coJLD2W22Le+IrxJvjJCLdOI8LrBiMtOSkAR /zdMeFgiZYDyNKRfUSLSzS3BzzXbRg/lIUSffuK9/7qsAmjL5JnwNUdYgUYf8kWkhEk7 oH8fKTtm0qNoHM2gLOwDOsgg2dltyhWvrc1bbDp2LrmIhXaIdLmLSV785kdiYnlhWI6A JBHKzmpslUwaoe3ELqaRiE5pZM5stl067NqTpG4nRwov1DvICRHlyNPcLWQOlpvB7ErC Bp5cHC1nHzIXJl8U+PZo4rgpd8Lfm02VSZID/MI49N5s8ZgZZiPedhDvDmgagdrWKQns s/AA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=frtl2LCo0qOmUMRlRdjdbwM165al3u3NG9UH+jMbLIE=; b=mxESnmPF+qYj8doZC3lsthCGBmyqATAa/4jh6GhluNnPdnSZfIUmU5IImnTs4AwU54 0R9YrYXF/Aj9UhJKgJ8dZjaTNiq9NgYn9C+mrf+1ymqxGb8NjxWtSfrZZzUwKLROn85J Ejw3HnkLM5zcfy03MMU4Sr4E6ZQKBDEMAN8w+64Ot+5Usiw+5w8muxckfsFk/tKKDDSG /jmD1Ni3uFrHaZKEeBUqIrSniqXsg5U1u+QgTLDX2OwRV3F/lBwDUNY2zyU8KU1f/fEj JJyAwCH0AIbW1jIcNI+MtGpnDcS9X7+fZCCPEs2KV91Hq25ehim6wNye+51QFjMhbtWb DEsQ==
X-Gm-Message-State: AOAM531drzfWcZXUNMl2znxZd+IA01fOf6wmMTDV8SE2g4cfENv7rHr6 1IA7+RPeOp5eCLuIZFX05NOR/0jzuXw=
X-Google-Smtp-Source: ABdhPJx7ZfT5KV5yOnIgtM4LRjOVzBydxIGDXARwyYyz58+YCR/fIL7Km4Kncf75kAS9G/6OYy7OIw==
X-Received: by 2002:a05:6808:6ca:: with SMTP id m10mr15619782oih.85.1595183629116; Sun, 19 Jul 2020 11:33:49 -0700 (PDT)
Received: from ?IPv6:2600:1700:a3a0:4c80:fc69:4fcf:5c0d:166? ([2600:1700:a3a0:4c80:fc69:4fcf:5c0d:166]) by smtp.gmail.com with ESMTPSA id o23sm3125986otl.0.2020.07.19.11.33.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 19 Jul 2020 11:33:48 -0700 (PDT)
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <cd9258e6-3917-2380-dd9b-66d74f3a64d3@gmail.com> <20200717210053.674D61D2C431@ary.qy> <CAL0qLwbkhG-qUyGqxaEjcFn2Lb7wPMhcPFEMA8eqptBJpePPxA@mail.gmail.com> <8efcf71c-f841-46a4-10b7-feb41a741405@gmail.com> <CAL0qLwbK7GQXkiS+H8GtsvHMzWr4o431Shc7Cc9MhqsTiHfzFw@mail.gmail.com> <bc7ed18c-8f1d-b41b-0a4b-3aa180a63563@gmail.com> <CAL0qLwYgs7py1aTQ87pykNT_0dpnrKz=+1DxMMSQMgbwz4XZDg@mail.gmail.com>
From: Dave Crocker <dcrocker@gmail.com>
Message-ID: <381c7792-5bd8-a1be-6b93-b7df015a2333@gmail.com>
Date: Sun, 19 Jul 2020 11:33:46 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwYgs7py1aTQ87pykNT_0dpnrKz=+1DxMMSQMgbwz4XZDg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------712D6B056CB044085E6782F0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UKtzcEXNE1q7gyq33V3xrnW4mvs>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2020 18:33:51 -0000

On 7/19/2020 11:08 AM, Murray S. Kucherawy wrote:
>
>     gain: There is quite a bit of experience demonstrating that
>     providing trust indicators to end users does not produce reliable
>     -- ie, useful -- decision-making by end users.
>
> We appear to be talking past each other.  I wasn't talking about trust 
> indicators, but rather whether the RFC5322.From domain is visible.  I 
> don't have any reason yet to think trust indicators are effective.
>
The view that the From: address, or domain, or Display-Name is used, by 
end-users, for assessing the trustworthiness of a message means it/they 
are used as trust indicators.

The track record is that people are unreliable at this.

There is quite a bit of distance between 'unreliable' and 'blindly open 
and read absolutely everything'.

In any event...

The essential point that needs to be made is that standards like this 
MUST NOT be cast in terms of what end users will do.  In practical 
terms, this work has nothing to do with end users. Really.  Nothing.

To the extent that anyone wants to make an affirmative claim that 
end-users /are/ relevant to this work, they need to lay that case out 
clearly, carefully, and with material that provides objective support.(*)

By contrast, say that this work provides input to a receiving filtering 
engine made the work easy to explain and understand and defend.

d/


(*) I've seen one posting here or somewhere else that noted that letting 
bad mail through can lead to end-users being deceived. I'll claim that 
while true, it is not relevant, since the behavior happens after DMARC, 
and the like, are relevant.  That is, DMARC, etc., do not inform the 
end-user behavior.

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email