Re: [dmarc-ietf] third party authorization, not, was non-mailing list

Hector Santos <hsantos@isdg.net> Sun, 30 August 2020 02:23 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A4923A131F for <dmarc@ietfa.amsl.com>; Sat, 29 Aug 2020 19:23:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.048
X-Spam-Level:
X-Spam-Status: No, score=-3.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.948, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=PYU/l07S; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=X/OW5+kh
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XX6DobtO3uVT for <dmarc@ietfa.amsl.com>; Sat, 29 Aug 2020 19:23:49 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21CF83A131C for <dmarc@ietf.org>; Sat, 29 Aug 2020 19:23:48 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=2230; t=1598754223; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=AR2eFhINdGJ4O4bnnaNu3hFHaWU=; b=PYU/l07S03s2AVG+z4t5jmsgsN9DNax/s8kVZxOzK8LbYPzbJhkYh5bjbq8E9z n8If0U8Cf2ipFg6UwumOByDubrxI2WWWz4y8IVd8R7jIgqWf6WkBkHXJoKqy66Tf Y+E+mItTSs1DBpcnre/0wefErb91lS3deuen+0IOlNjIM=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Sat, 29 Aug 2020 22:23:43 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 784341124.1.3308; Sat, 29 Aug 2020 22:23:42 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2230; t=1598754055; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=k1mNITX hSkprdaRUFzF9w9FdVnnK9bS8Yhyk1mO9CV8=; b=X/OW5+khBSchqaIuvZoTzIL Ww4qrk8U1FillmuINStbxTtUY2YWmZh8lwc0KhDGKGRMw8VWSi6u+pXlJU850d/4 7ofGeDuKy0UHyYDNH5cv9H0zczRWQ3NW0tlMtLq/vxAMM/ZMrZN/W+xmtUMWvKsu NyZf9jJw+ASW1gjGElPM=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Sat, 29 Aug 2020 22:20:55 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 651293703.1.4180; Sat, 29 Aug 2020 22:20:53 -0400
Message-ID: <5F4B0DAD.1050208@isdg.net>
Date: Sat, 29 Aug 2020 22:23:41 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Jim Fenton <fenton@bluepopcorn.net>, Dotzero <dotzero@gmail.com>, Doug Foster <fosterd=40bayviewphysicians.com@dmarc.ietf.org>
CC: IETF DMARC WG <dmarc@ietf.org>
References: <20200824172403.A927C1F14BF5@ary.qy> <5fe7d5c2-7330-c9fb-2856-e7dfc2175c82@tana.it> <CAJ4XoYc1vutV61E-66DHWcdOxHmCUWiC0HC0AmiRYUcMxLgcCQ@mail.gmail.com> <1fe7a47f-4ebc-7621-2c1-e4803473e8d7@taugh.com> <CAJ4XoYf3_y4tb5JYm5fGndqxKN+070LvZ6i5kjHKqH0NnbHnhg@mail.gmail.com> <001801d67bce$bdf97510$39ec5f30$@bayviewphysicians.com> <CAJ4XoYdR-kHARvkYjbbyqoEnx8YV5RP4x1z40M3-z9ap1ypcRg@mail.gmail.com> <10ed5aec-7e4f-b6d4-0564-613fd92ebf72@bluepopcorn.net>
In-Reply-To: <10ed5aec-7e4f-b6d4-0564-613fd92ebf72@bluepopcorn.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VwFy6mOeJvtnBwd8s_vi0RFfoA0>
Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Aug 2020 02:23:52 -0000



On 8/26/2020 5:00 PM, Jim Fenton wrote:
> On 8/26/20 10:54 AM, Dotzero wrote:
>>
>>
>> On Wed, Aug 26, 2020 at 1:32 PM Doug Foster
>> <fosterd=40bayviewphysicians.com@dmarc.ietf.org
>> <mailto:40bayviewphysicians.com@dmarc.ietf.org>> wrote:
>>
>>     Are the weak signatures vulnerable to a replay attack?    I
>>     thought that one of the reasons that DKIM signatures included
>>     the whole body was to prevent the signature from being reused.
>>
>>     DF
>>
>>
>> Not particularly vulnerable. The requirement is that you have the
>> "weak signature" plus the intermediary full DKIM signature. This
>> let's the validator/receiver know that the originating domain knew
>> that the intermediary might break the originating domains DKIM
>> signature but the validator/receiver would have the DKIM signature
>> of the intermediary. The "weak signature" is only validated against
>> that specific message and headers it signed and that specific
>> intermediary. It's not a generic/general signature.
>
>
> It sounds like the weak signature is just a regular DKIM signature
> plus the designation of the intermediary, and the "weak" part is that
> you don't check the body hash against the body. Have I got that right?

Yes.

ATPS vs Conditional Signature

The end goal is technically the same. Author Domain authorizing a 3rd 
party signer.

The key difference is DNS. ATPS uses DNS to authorize the signer. 
Conditional signature has the extra tag to define an expected 3rd 
party signature by a 3rd party domain uplink.

For the signing code, there is no change for ATPS. Conditional 
requires significant signer code change.

For the verifying code, the DMARC verifier adds ATPS DNS lookup checks 
if 1st != 3rd party domains differ or it can also add conditional 
signatures checks.

We should ALLOW both to be explored.

For conditional, you don't need a DMARC tag extension.  The existence 
of the extra tag triggers the logic.

For ATPS RFC6541, it was designed to piggyback off ADSP. So ATPS will 
need to be updated to use DMARCbis.  The Domain sets the atps=y 
extension tag to trigger the logic.


-- 
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos