IETF Logo Mail Archive

Re: [dmarc-ietf] Alternative draft text for draft-ietf-dmarc-arc-protocol

Brandon Long <blong@google.com> Tue, 09 May 2017 21:04 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0959A12922E for <dmarc@ietfa.amsl.com>; Tue, 9 May 2017 14:04:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YiKJCKFmRdWq for <dmarc@ietfa.amsl.com>; Tue, 9 May 2017 14:04:55 -0700 (PDT)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A73A129573 for <dmarc@ietf.org>; Tue, 9 May 2017 14:04:55 -0700 (PDT)
Received: by mail-oi0-x232.google.com with SMTP id h4so14866233oib.3 for <dmarc@ietf.org>; Tue, 09 May 2017 14:04:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bCBP80vUIG17NKiiAa0bi38pVBTCFNAHf0uUjKYmUMU=; b=r1Xybh307eHOMnsEbjBJ6qQTJRKIoOTDtCxfudsAddAC9MsxhuDW0Pw5flTDyq18do VR3dUf9AWGtW4T3UU8BuU2kmiezigdAu7UdOj0S6n7Kf/T+1Oe81UON6DlVFc8FS3EhC CTpZSUfN4zc1SMICEg/YJG6Y+GeBMRxqYD2bAz7SPFIRDuePKicXbZnee3mnGeJjJrcP sb9zrKCBFOKLDP6UDR048h5LiP9ZzBU5Y8yHD8993ONr8gfMublgZRs7OiiyYNGPvSpD D1V4IldXwVyARJskclcBUCfw6+2FzeJ+a5TemkIH3frbLZO9vSklCRW8+eOaHR6DXHp2 XCtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bCBP80vUIG17NKiiAa0bi38pVBTCFNAHf0uUjKYmUMU=; b=Dr/583pYSQYTMcHKjetfQsIsOL7j5armHb+WO9TB+5VJX0oamJlHrVMKvae3XRHYWh UGdlNgCFlK2FxkdhhAWEckhixQllRQJ4UNxOz2vtpeAiddCLWFZl5bzJXAlYKilCTBFu Weq0SSau9OswIOeaZFDqmcxt6GPypk3UIELJz/tU9H2owMpq7QUaqosYL8aFpTFyDVGs 6A6ElXfj4/N7WjRchYSHAAE4Iucoopg11Ol/279TpEAcgmzU2yy78IPvq3kyoL1rZV39 5u5k16I6lvu/1X3GsRZph/WFfoI7eOksKQlsQSb1sSxWmPh8DPbQdZqRnWiIliPLePhc TQAg==
X-Gm-Message-State: AODbwcBKQT5P6WKRE2JBoKAmeOxHRUUKrmroC4V2qRgWYv6FeVIETyk3 Xay3PzMjcwDwMggJOQNKYjru/le0aswb
X-Received: by 10.157.46.234 with SMTP id w97mr936681ota.78.1494363894719; Tue, 09 May 2017 14:04:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.8.34 with HTTP; Tue, 9 May 2017 14:04:54 -0700 (PDT)
In-Reply-To: <CAL0qLwZEeL8ksPK3AwXjty1+RRUgAH=kL1MUOwERGiGxOGd5NQ@mail.gmail.com>
References: <CAL0qLwZEeL8ksPK3AwXjty1+RRUgAH=kL1MUOwERGiGxOGd5NQ@mail.gmail.com>
From: Brandon Long <blong@google.com>
Date: Tue, 09 May 2017 14:04:54 -0700
Message-ID: <CABa8R6vL720q879ks7ELPBH6aXjigntmHQ65hy86T-MQvLJ6+g@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="001a114639d01c9128054f1db5e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VvdoBN72rezqdBfCzRIDT3ZCEc0>
Subject: Re: [dmarc-ietf] Alternative draft text for draft-ietf-dmarc-arc-protocol
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 21:04:58 -0000

In 5.1 defining the AMS, you say that it should cover DKIM-Signature and
AuthRes headers.  In particular, AuthRes headers are expected to be removed
by ADMDs, especially if the message transits the same ADMD multiple times.
Also, the information in the AuthRes header is superseded by the ArcAuthRes
header.  Including it means an arbitrary AMS breakage for something pretty
minor, so I would recommend to not include it.

Our implementation explicitly blacklists that header.

I know some mailing lists also strip the DKIM-Signature header, but since
they are likely to break the AMS anyways, that's less important.  I'm not
sure what the benefit is to including it, but it seems harmless.  In
particular, if the DKIM-Signature still passes, then the ARC isn't adding
that much, and removing the DKIM-Signature header doesn't mean all that
much either since it's validity was already assessed and that assessment
included in the AAR.  We don't blacklist the DKIM-Signature method in our
implementation, but I don't understand the advisement.

You also talk about "responsibility".  I'm not sure that's how I would
describe it.  An ARC hop is documenting that a message passed through it,
and that it evaluated the authentication of the message.  The only
responsibility of a hop is to correctly validate the SPF/DKIM/ARC
information, there is no ownership implied over the message itself.

With AMS, you can answer the question: which ADMD is the last ADMD to have
modified the message.  I guess in that sense, the last modifier is
"responsible" for the current state of the message... but that kind of
means that the AMS of previous hops allows them to disown responsibility
for the current state of the message...

5.2 - should we point out that there should be only one of these per hop?
The openspf/dkim/dmarc implementations tend to add separate AuthRes headers
for each evaluation, but ARC requires those to be a single instance.

5.3.1 - none as defined as "arrives at an MTA from an MSA", perhaps my
understanding of those terms is slightly odd, but I would think that an MSA
usually uses an MTA to actually send the message, and it isn't that
"sending" MTA that's the first hop, it should be the first "receiving"
MTA.  I mean, that's usually the point at which the DKIM signature is
applied, and the SPF would be "from" there, not based on the location of
the MUA.

There are some missing pieces here, corresponding to the current draft
sections 5.4 (alternate signing algorithms), 6.4.3 (arc email
authentication method for AuthRes), 6.4.5 for dmarc xml.  I see that the
arc is included in your IANA section, not sure if the call out outside of
the definition is necessary or not.

Overall, I think your draft makes some things clearer, and some things in
the original are clearer.  It's worth looking into either combining or
choosing.


Brandon

On Thu, May 4, 2017 at 12:56 AM, Murray S. Kucherawy <superuser@gmail.com>
wrote:

> Colleagues,
>
> As I progress (slowly, alas) toward completing my sample implementation of
> OpenARC, I've found myself taking a lot of notes about the current draft.
> This has helped me make progress; in some cases it became things I posted
> to the list, and in others it was just to help or confirm my understanding
> of the protocol.
>
> I have developed this enough to become a fairly comprehensive alternative
> text to the current draft.  I find the layout of this version to flow
> better for my own purposes, and in a few places I've tried to clarify some
> of the material by rewriting chunks of it.  None of this is meant to assert
> that the current draft is deficient; I've just found it to be a helpful
> exercise for me.
>
> I offer it here to the WG as a contribution; the WG of course is free to
> use some, all, or none of it as it wishes.
>
> http://blackops.org/~msk/draft-kucherawy-dmarc-arc-base.txt
>
> If it would be more helpful to post this as an I-D, please let me know.
>
> -MSK
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>

v2.23.0 | Report a Bug | By Email