Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
Dave Crocker <dcrocker@gmail.com> Sun, 19 July 2020 18:33 UTC
Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40B253A08ED for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 11:33:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hS2FRdB4vVtH for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 11:33:50 -0700 (PDT)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DBEC3A08EC for <dmarc@ietf.org>; Sun, 19 Jul 2020 11:33:50 -0700 (PDT)
Received: by mail-oi1-x22a.google.com with SMTP id e4so12663784oib.1 for <dmarc@ietf.org>; Sun, 19 Jul 2020 11:33:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=frtl2LCo0qOmUMRlRdjdbwM165al3u3NG9UH+jMbLIE=; b=nyOCfVeXnlT8oc9mvU9H6NRB1wX8h9coJLD2W22Le+IrxJvjJCLdOI8LrBiMtOSkAR /zdMeFgiZYDyNKRfUSLSzS3BzzXbRg/lIUSffuK9/7qsAmjL5JnwNUdYgUYf8kWkhEk7 oH8fKTtm0qNoHM2gLOwDOsgg2dltyhWvrc1bbDp2LrmIhXaIdLmLSV785kdiYnlhWI6A JBHKzmpslUwaoe3ELqaRiE5pZM5stl067NqTpG4nRwov1DvICRHlyNPcLWQOlpvB7ErC Bp5cHC1nHzIXJl8U+PZo4rgpd8Lfm02VSZID/MI49N5s8ZgZZiPedhDvDmgagdrWKQns s/AA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=frtl2LCo0qOmUMRlRdjdbwM165al3u3NG9UH+jMbLIE=; b=mxESnmPF+qYj8doZC3lsthCGBmyqATAa/4jh6GhluNnPdnSZfIUmU5IImnTs4AwU54 0R9YrYXF/Aj9UhJKgJ8dZjaTNiq9NgYn9C+mrf+1ymqxGb8NjxWtSfrZZzUwKLROn85J Ejw3HnkLM5zcfy03MMU4Sr4E6ZQKBDEMAN8w+64Ot+5Usiw+5w8muxckfsFk/tKKDDSG /jmD1Ni3uFrHaZKEeBUqIrSniqXsg5U1u+QgTLDX2OwRV3F/lBwDUNY2zyU8KU1f/fEj JJyAwCH0AIbW1jIcNI+MtGpnDcS9X7+fZCCPEs2KV91Hq25ehim6wNye+51QFjMhbtWb DEsQ==
X-Gm-Message-State: AOAM531drzfWcZXUNMl2znxZd+IA01fOf6wmMTDV8SE2g4cfENv7rHr6 1IA7+RPeOp5eCLuIZFX05NOR/0jzuXw=
X-Google-Smtp-Source: ABdhPJx7ZfT5KV5yOnIgtM4LRjOVzBydxIGDXARwyYyz58+YCR/fIL7Km4Kncf75kAS9G/6OYy7OIw==
X-Received: by 2002:a05:6808:6ca:: with SMTP id m10mr15619782oih.85.1595183629116; Sun, 19 Jul 2020 11:33:49 -0700 (PDT)
Received: from ?IPv6:2600:1700:a3a0:4c80:fc69:4fcf:5c0d:166? ([2600:1700:a3a0:4c80:fc69:4fcf:5c0d:166]) by smtp.gmail.com with ESMTPSA id o23sm3125986otl.0.2020.07.19.11.33.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 19 Jul 2020 11:33:48 -0700 (PDT)
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <cd9258e6-3917-2380-dd9b-66d74f3a64d3@gmail.com> <20200717210053.674D61D2C431@ary.qy> <CAL0qLwbkhG-qUyGqxaEjcFn2Lb7wPMhcPFEMA8eqptBJpePPxA@mail.gmail.com> <8efcf71c-f841-46a4-10b7-feb41a741405@gmail.com> <CAL0qLwbK7GQXkiS+H8GtsvHMzWr4o431Shc7Cc9MhqsTiHfzFw@mail.gmail.com> <bc7ed18c-8f1d-b41b-0a4b-3aa180a63563@gmail.com> <CAL0qLwYgs7py1aTQ87pykNT_0dpnrKz=+1DxMMSQMgbwz4XZDg@mail.gmail.com>
From: Dave Crocker <dcrocker@gmail.com>
Message-ID: <381c7792-5bd8-a1be-6b93-b7df015a2333@gmail.com>
Date: Sun, 19 Jul 2020 11:33:46 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwYgs7py1aTQ87pykNT_0dpnrKz=+1DxMMSQMgbwz4XZDg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------712D6B056CB044085E6782F0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UKtzcEXNE1q7gyq33V3xrnW4mvs>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2020 18:33:51 -0000
On 7/19/2020 11:08 AM, Murray S. Kucherawy wrote: > > gain: There is quite a bit of experience demonstrating that > providing trust indicators to end users does not produce reliable > -- ie, useful -- decision-making by end users. > > We appear to be talking past each other. I wasn't talking about trust > indicators, but rather whether the RFC5322.From domain is visible. I > don't have any reason yet to think trust indicators are effective. > The view that the From: address, or domain, or Display-Name is used, by end-users, for assessing the trustworthiness of a message means it/they are used as trust indicators. The track record is that people are unreliable at this. There is quite a bit of distance between 'unreliable' and 'blindly open and read absolutely everything'. In any event... The essential point that needs to be made is that standards like this MUST NOT be cast in terms of what end users will do. In practical terms, this work has nothing to do with end users. Really. Nothing. To the extent that anyone wants to make an affirmative claim that end-users /are/ relevant to this work, they need to lay that case out clearly, carefully, and with material that provides objective support.(*) By contrast, say that this work provides input to a receiving filtering engine made the work easy to explain and understand and defend. d/ (*) I've seen one posting here or somewhere else that noted that letting bad mail through can lead to end-users being deceived. I'll claim that while true, it is not relevant, since the behavior happens after DMARC, and the like, are relevant. That is, DMARC, etc., do not inform the end-user behavior. -- Dave Crocker Brandenburg InternetWorking bbiw.net
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- [dmarc-ietf] Response to a claim in draft-crocker… Kurt Andersen (IETF)
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker on behalf of Kurt Andersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] no from addresses nowhere, Respo… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Doug Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- [dmarc-ietf] DMARC marketing Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] DMARC marketing Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker