IETF Logo Mail Archive

Re: [dmarc-ietf] third party authorization, not, was non-mailing list

John Levine <johnl@taugh.com> Mon, 10 August 2020 17:24 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E91553A0B97 for <dmarc@ietfa.amsl.com>; Mon, 10 Aug 2020 10:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=FKhlCiYX; dkim=pass (2048-bit key) header.d=taugh.com header.b=fuwr9llM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8kRnLYzjUwB2 for <dmarc@ietfa.amsl.com>; Mon, 10 Aug 2020 10:24:17 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46FDB3A0B8E for <dmarc@ietf.org>; Mon, 10 Aug 2020 10:24:16 -0700 (PDT)
Received: (qmail 37859 invoked from network); 10 Aug 2020 17:24:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=93e0.5f3182bc.k2008; bh=fvyUBaR5xBk/LA9++t8uzWWRbJ1iAnzqnIU21Bq6EvQ=; b=FKhlCiYXJHEGG5pLnMOGAcy1B/kBXf+tANgK/ZCDBNqzw2vcUL5JoaOYWgBqZmyuqjHEya1IfNRrkL+itESVX/heBMLFNQYamVKnHvleoRFXVYcR7tKrbl++9IBHRlPn0hyOuTIgLqITe9FOj9td26ERx76F607h/9Q57kxJdyXcc1T5KSgd2VaJq0Hx5N7TPgkOhgXqU3U6N84sgiv1V4rAVuv1zrmigH5PCBdYnZesAEZFR+AH3hPa2f9piZnkMR0TVOAKZ9ri31LPOjn28kqiZDCaHuI9ghJKpfPcKMt5fv3YU5HA9MFacwO6rX1c91GSEIVPl60FddWHzgavRw==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=93e0.5f3182bc.k2008; bh=fvyUBaR5xBk/LA9++t8uzWWRbJ1iAnzqnIU21Bq6EvQ=; b=fuwr9llM2GtJG+abfe8uwXuxKs28tktpaSqI8z5vkL9J7he8ZxCpnJnTMtMK4/0QsqSuThbrlLZQlrDY7gBVKOYtOt0SnN4JfpZ09Diz8aScAJkX+YYZ3z7OwAnuitzNLnroVu0iM3/5UoDUO4ML2KdtmsmGzkkjk4eqrVXzDcHDfWLpUgIkrJZdaPlZyaLqCGb7xEFgZxHd+OnmJoiqgqU0F4P1AIy7q3w9tfnXLo1ruM7+fAUY7oEmQK7Th0+HPPaKmRKa8gvfuqPADJMSihBTdbmdr6sHFh52s7VU54GXG6lDbjmRPDSeOvP2GXC1VdUcMdf7TYwuGqPqHtSN5g==
Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 10 Aug 2020 17:24:12 -0000
Received: by ary.local (Postfix, from userid 501) id A13681E7CD8B; Mon, 10 Aug 2020 13:24:11 -0400 (EDT)
Date: Mon, 10 Aug 2020 13:24:11 -0400
Message-Id: <20200810172411.A13681E7CD8B@ary.local>
From: John Levine <johnl@taugh.com>
To: dmarc@ietf.org
In-Reply-To: <2ef8e773e7bf467481a05ab3fc4d937f@bayviewphysicians.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VFyNt0BNfyFSqzStdcXersKBi98>
Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 17:24:19 -0000

In article <2ef8e773e7bf467481a05ab3fc4d937f@bayviewphysicians.com> you write:
>>Even an external reputation system requires recipient participation.   That is why I suggested both a send3="parameters" clause to
>indicate sender support for third-party authorization and a verify3="parameters" clause to indicate recipient support for third-party
>authentication.    When both are visible to the non-domain message source, that source can have confidence that the message will be
>handled as authorized.

We have had a lot of attempts at third-party authorization schemes
going back at least to vouch-by-reference in 2009 and ATPS in 2012,
and the Spamhaus Whitelist in 2010.  Every single one of them failed,
not due to technical problems, but because nobody was interested.

The only third party reputation systems that anyone uses are DNSBLs
like Spamhaus that publish negative reputations, and even there you
can count the ones with non-trivial use on the fingers of one hand.

With this in mind, I cannot see any point in designing yet another
vouching or authorization scheme unless we have evidence that an
interesting fraction of the world's mail systems want to use it. I
don't see that, and honestly see no chance that we ever will.

R's,
John

v2.23.0 | Report a Bug | By Email