IETF Logo Mail Archive

Re: [dmarc-ietf] Additions to draft - Security Considerations

Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 02 May 2022 03:01 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09627C157B34 for <dmarc@ietfa.amsl.com>; Sun, 1 May 2022 20:01:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pz65gveV9ZQf for <dmarc@ietfa.amsl.com>; Sun, 1 May 2022 20:01:12 -0700 (PDT)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40344C14F73E for <dmarc@ietf.org>; Sun, 1 May 2022 20:01:12 -0700 (PDT)
Received: by mail-ot1-x32c.google.com with SMTP id m6-20020a05683023a600b0060612720715so1763138ots.10 for <dmarc@ietf.org>; Sun, 01 May 2022 20:01:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ddrj/HIbZV9ltcRm78RK8+82Fi0q1cEP3Rh4OuHWcZE=; b=nt2nv1+9f3l3bjb+s3OvZ8lZJ7brFH9JQyAfKI1EBij3n8Z6Lw3N7H/DSORwnn0iZ7 z4DZIP5PFT8ZN0dghxZXp6FGo4wHaRlqu4BBtv5JkxsrwNh7sYpiPAdW1B+dob5wbNF1 ZgHmfw3vXSKYZllJ3SvzDlYBIcDgImirgZ9B86RUNrarB6CzbY2/7MeM9JdVc8K83Vm0 oRkwUmKl49DTM6HdeqUGMzTzNo4qFvqMmXIvbrRL4QRHpJg9qoHVFX+4Y4IpFem8O7sq tIks53P3yAeDKKYlpBtNgAXKYaJXgJXH6lL5KJAOWBbfUBeXfxFhrbYZTF/w5lQRshpT pBoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ddrj/HIbZV9ltcRm78RK8+82Fi0q1cEP3Rh4OuHWcZE=; b=zlOSWzAOxhUd+PS0uBdIbv7KYdnVGRGSEol1buMkXYY7BoxS+XyMYAHgS8FSSlk/yw rfTbhg0f6TitgVZ12Llc14G3oZmN6R6m5rhMfromeswPRtjtd9QhQq4wBDwPULNg7eyy xkSRUoJ1Ii4ZsivcmR7SNm/xrpHNlGtDmTobghsG6IACsbkzItNWJd9gT4iZmtoVvq8V lJHwnOOr6ukpZSI+3xG/hiFYPYMGv62r+DhmzHoR+/FZGSD1BbKMZ9usqdhXcFwLxxG7 bVykyhJQUd+muWFDlA3RURDFt+jtNxNFTbofMFSYptbbg6QdsMiEZOYUqnswEUEAIp05 86Iw==
X-Gm-Message-State: AOAM533k1p9DreGRrtARs+FvgXmZDgxzi9KsZXg1QmStB3w3qGn20Vxg aG/qUj6YEXVSpCY9iZQdCHy5fGaU5sU0nJne524qsuHcQvg=
X-Google-Smtp-Source: ABdhPJzeg8w4GJv72OK0WxKZZUjPT6mCK+b0xux72G0R2+eiBxL1EoUhxEL0ZTd/gzUk3wnZJ6QFWR1/Prd1F73XlNg=
X-Received: by 2002:a05:6830:1cc8:b0:5e6:f41c:f157 with SMTP id p8-20020a0568301cc800b005e6f41cf157mr3458165otg.82.1651460470963; Sun, 01 May 2022 20:01:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfz5MWDuQa1DJQE_YK9gAUL4P-se4CeGAGYCf+c6D0ysaA@mail.gmail.com> <2934216.d6BrxOLGqM@zini-1880> <CAOPP4WE1RQqf3FMufg2DTabBFeEZkA6D3FUMD-hKFjsVjXVkDQ@mail.gmail.com> <52A980B4-B155-4CA4-A9DA-8A11DDDC0AA9@kitterman.com>
In-Reply-To: <52A980B4-B155-4CA4-A9DA-8A11DDDC0AA9@kitterman.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sun, 01 May 2022 23:00:51 -0400
Message-ID: <CAH48ZfwwKQOEuBFPB8o0_mXvRi8u2-p_csSB6zO9tOUKXKLmuw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb82c005ddfe9a6d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Va80_EA4S1BSnG2Aa-T7TSKxixg>
Subject: Re: [dmarc-ietf] Additions to draft - Security Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 03:01:16 -0000

Unfortunately, the PSL is not an adequate tool for validating the Tree Walk
algorithm.   You disparaged that idea when I proposed it earlier, and you
were right.

The expected PSL error is domain fragmentation, because
Cross-Site-Scripting scope boundaries are likely to be narrower than email
domain boundaries.   The expected Tree Walk error is domain consolidation,
because missing information will cause the walk to continue upward.  When
the two algorithm results are compared, we know nothing about which
algorithm is mistaken.  (Maybe both algorithms are incurring their
respective error types are occurring at the same time!)

We have a fundamental weakness when a trust-verification algorithm like
DMARC is highly dependent on unverifiable data about organizational
boundaries.   The PSL algorithm has this problem, which is why we are
considering a replacement, but at least its mistakes are not considered
malicious.   Additionally, a domain owner can manage the consequences of
domain fragmentation by adding more DMARC policies and adjusting DKIM
signature domains.   For the Tree Walk Algorithm, mistakes are likely to be
malicious, and the malicious domain owner has no incentive to fix the
problem.   Observing that malicious use will only be possible on a few
domains is not the same as solving the problem.

I have proposed a solution to this problem, which replaces the awkward and
"intentionally confusing" psd=n token with the more useful
OrgsBelow=<integer> token.   The OrgsBelow token both indicates an
organizational domain and defines the subtree to which it applies.
 Consequently, if fixes the known vulnerability in the Tree Walk
algorithm.  The real question is why there is resistance to solving the
problem correctly.



On Sun, May 1, 2022 at 7:59 PM Scott Kitterman <sklist@kitterman.com> wrote:

>
>
> On May 1, 2022 11:25:02 PM UTC, Neil Anuskiewicz <neil=
> 40marmot-tech.com@dmarc.ietf.org> wrote:
> >  On Apr 24, 2022, at 8:57 PM, Scott Kitterman <sklist@kitterman.com>
> wrote:
> >>
> >> For cases where strict alignment is not appropriate, this issue can be
> >> mitigated by periodically checking the DMARC records, if any, of PSDs
> >above
> >> the organization's domains in the DNS tree and (for legacy [RFC 7489]
> >checking
> >> that appropriate PSL entries remain present).  If a PSD domain
> publishes a
> >> DMARC record without the appropriate psd=y tag, organizational domain
> >owners
> >> can add psd=n to their organizational domain's DMARC record so that the
> >PSD
> >> record will not be incorrectly evaluated to be the organizational
> domain.
> >
> >Though the risk’s low, “periodically checking the DMARC records, if any”
> >isn’t particularly reassuring. It’s like saying periodically give your
> >pilot a breathalyzer. :-)
>
> I agree, although in this case it can be automated.  Similarly,
> periodically checking the PSL under the current scheme would be a good idea
> and not hard to do.
>
> Scott K
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email