Re: [dmarc-ietf] Ticket #42 - Expand DMARC reporting URI functionality

Hector Santos <hsantos@isdg.net> Tue, 19 January 2021 15:27 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 837803A1631 for <dmarc@ietfa.amsl.com>; Tue, 19 Jan 2021 07:27:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.362
X-Spam-Level:
X-Spam-Status: No, score=-2.362 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.262, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=gcY+ghZH; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=JzGPZ5Bu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QpQKpciAVpFe for <dmarc@ietfa.amsl.com>; Tue, 19 Jan 2021 07:27:46 -0800 (PST)
Received: from mail.winserver.com (news.winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04F923A1638 for <dmarc@ietf.org>; Tue, 19 Jan 2021 07:27:40 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=8045; t=1611070057; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=KVzpyTnrR+ziQ1IZ7tyTt+cxSJUz xI46oP3Umr1A8wg=; b=gcY+ghZHqjmbHXiNZVu9WB/wEqxxtJxLke7inqyGrzip kEoi1/XAtNUykoFPoXiyevdZqS8iNhbJPfb63t6vSkLGQLRD7SkwhuAkzUxQGPLi IFm1ELW7gj1NJRwQZxRk02Dw/NLhcwo/QuilQsSibPiAacvwlB0DfPIBLctM7ss=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 19 Jan 2021 10:27:37 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 215133448.1.2164; Tue, 19 Jan 2021 10:27:36 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=8045; t=1611069649; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=KVzpyTn rR+ziQ1IZ7tyTt+cxSJUzxI46oP3Umr1A8wg=; b=JzGPZ5BuqEyuvGcYS0azdvj JiABeVKLt165MdZI6XPCxeJ9lVKgrWKQDhuPEz3noAD9h7mfdKCNq5RlJQm2ld93 8bC6Z2EbVVuK6/Mc5rNXXgLUfE2IzSzzR1GGx6Ic96u9SPug+ZGeeiNqlf2pThvO 82dixpx2ngfs0sl+psCM=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 19 Jan 2021 10:20:49 -0500
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 81986502.1.60628; Tue, 19 Jan 2021 10:20:48 -0500
Message-ID: <6006FA69.5000702@isdg.net>
Date: Tue, 19 Jan 2021 10:27:37 -0500
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>, IETF DMARC WG <dmarc@ietf.org>
References: <eb3d06f-c89f-2511-3528-d421473e4d42@taugh.com> <a67a4e98-2be0-e2e2-2595-c12d9b87c4df@taugh.com> <7d3be6c4-aa17-3c34-d8f0-4df51e46ccc1@tana.it> <f12991fe-fded-6c0-528c-3b879b4a670@taugh.com> <8b6605de-ca01-904c-de78-deae254e0891@tana.it> <CAHej_8nwEh8SXN1_WJ-QRFCZ1bUEDb1H3w-5WoB=wRcL_NzYcw@mail.gmail.com>
In-Reply-To: <CAHej_8nwEh8SXN1_WJ-QRFCZ1bUEDb1H3w-5WoB=wRcL_NzYcw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/W5rQ7xg-ik7WUVSvIoAj4l0kr_I>
Subject: Re: [dmarc-ietf] Ticket #42 - Expand DMARC reporting URI functionality
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2021 15:27:51 -0000

On 1/19/2021 9:02 AM, Todd Herr wrote:>
> Other concerns were raised about privacy and security issues that
> might be inherent in and unique to adding this kind of functionality,
> issues that may not have been fully discussed or understood by the
> community over the years. There was also a question about whether or
> not this is something that people are asking for.

Reporting concepts were in the each DKIM Policy proposal (SSP, DSAP, 
ADSP) -- a "-r" tag option to send reports. The main concerns were 
unsolicited report abuse.   The DSAP proposal (my own) recognize it 
could be optional so it provided:

    https://tools.ietf.org/html/draft-santos-dkim-dsap-00	

    4.5.  DSAP Tag: r=<abuse-address>

    This tag is optional.  If not defined, the default is no abuse-
    address is available.

    <abuse-address> is either the user-part or a FQDN email address to
    optional send abuse reports.

    Examples:
       r=abuse
       r=abuse@example.com

    If only the user-part is defined, then the full address is
    established by using the originating address domain.

    DKIM verifiers have the option to honor or not honor this reporting
    address.  DKIM signers MUST be aware this reporting address may not
    be utilized by verifiers.

    Verifiers should be aware this reporting address can be a source of
    an report attack vector (Section 7.4).  One possible implementation
    considerations would to limit the report to one report only and to
    track the reception and/or response of the reporting.


but the Section 7.4 discussion was TBD.


>
> Hatless, it seems to me that the safest implementation of this
> feature, presuming the security and privacy concerns can be addressed
> to the satisfaction of those who raised them, would be to add a new
> tag, as John has proposed, so as to minimize interoperability issues.
> I say "minimize", rather than "avoid", simply because while RFC 7489
> says "Unknown tags MUST be ignored.", I don't believe we can say with
> 100% certainty that all implementations of DMARC policy record parsing
> in the known world (both by report generators and third parties who
> advise domains on how to publish DMARC records), implementations that
> work now, won't "break" if a new tag is introduced. Of course, that'd
> be their problem, not ours, because they weren't following the
> existing rules.

We can not continue to design Internet protocols without upward design 
considerations. This is part of the forward and backward compatibility 
design concepts.  Any problem would be a known tag with new 
functionality than originally expected. Sure, we can't say it will not 
happen, but its going to be a very low percentage, if any.  They have 
to fix it.

> As editor, I seek guidance from the working group on how to proceed here.

I am for a URI protocol method as part of the current tag rather than 
a new a separate tag.

However, in principle, I don't see any issue with adding new tags, in 
fact, I am still here on the basis extended protocols will emerged 
once the base protocol is completed.  ATPS will be available to 
piggyback off the DMARC record as it did off ADSP.  The ATPS protocol 
adds "atps=y" tag to the DMARC record.  We have never received reports 
of issues related to extended tags.

There is a also a small scale version called ASL (Authorized Signer 
List) tag which defines a few domains authorized as resigners; for 
example:

asl=example1.com, example2.com, ietf.org, gmail.com

If you believe that adding a new tag is going to be a problem for 
DMARC, then we might as well come up with a new DKIM Policy model and 
a new resource record lookup name.

Imo, you guys are really missing the boat here.  Extended tags is a 
major part of a DKIM POLICY model future simply because we have not 
yet imagine all the needs to make it work well and integrate with 
other concepts.  In DSAP, for example, we had tags such as:

+============================================================+
| Description            |  DSAP Record Tag                  |
|============================================================|
| Version tag            |  v=<dsap-version>/<dkim-version>  |
|------------------------------------------------------------|
| Original party signing |  op=<signing-policy>              |
| practice               |                                   |
|------------------------------------------------------------|
| 3rd party signing      |  3p=<signing-policy>              |
| practice               |                                   |
|------------------------------------------------------------|
| Authorized List of     |  dl=<dom-list>                    |
| 3rd party domains      |                                   |
|------------------------------------------------------------|
| Signature Hashing      |  a=<hash-algorithm>               |
| Method                 |                                   |
|------------------------------------------------------------|
| Reporting address      |  r=<abuse-address>                |
|------------------------------------------------------------|
| Note or comment        |  n=<note>                         |
|------------------------------------------------------------|
| Testing flag           |  t=<testing-flag>                 |
|------------------------------------------------------------|
| Unauthorized signature |  fa=<failure-handling>            |
| failure handling       |                                   |
|------------------------------------------------------------|
| Invalid Signature      |  fs=<failure-handling>            |
| failure handling       |                                   |
|------------------------------------------------------------|
| Signature Expiration   |  fx=<failure-handling>            |
| failure handling       |                                   |
+------------------------------------------------------------+

The optional note tag (n=) allows a domain to store a human readable 
note or comment regarding the DSAP DNS record.  Its purpose is 
considered to be diagnostic in nature.

The fa=, fs= and fx= tags were based on discussion to offer specific 
handling instructions based on specific possible errors:

4.8.  DSAP Tags: fa=<failure-handling>; fs=<failure-handling>;
       fx=<failure-handling>;

    The fa=, fs, and fx= tags define the domain preferred rejection
    action policy a verifier is recommended to perform when an
    unauthorized signature, failed signature or expired signature is
    detected, respectively.

    The fa= tag defines the handling for failed signature authorization.
    The fs= tag defines the handling for failed signature verfication,
    and the fx= tag defines the handling when a signature expired or key
    is revoked.

    Failed signature include failures related to the DKIM-Signature
    hashing, syntax and encryption verification process.

    <failure-handling> values:

    FAIL                The verifer MUST reject the transaction when
                        failure is detected.  (Default)

    SOFTFAIL            The verifer SHOULD reject the transaction when
                        failure is detected.

    IGNORE              The verifer SHOULD NOT reject the transaction
                        when failure is detected.  This value may be
                        defined by the domain to signify the domain is
                        testing DKIM and failure may occur unexpectedly.
                        Verifiers SHOULD consider tracking this handler
                        value for abuse.

    The fa= and fs= tags are optional with default values of SOFTFAIL.

    Examples:

    fa=fail;fs=fail; fx=fail;  Domain has a MUST reject immediate policy
                        for unauthorized, failed or expired signatures.

    fa=fail;            Domain has a MUST reject immediate policy for
                        unauthorized signatures and a SHOULD reject
                        immediate policy for failed and expired
                        signatures.

    undefined values;   DOMAIN has a SHOULD reject immediate policy for
                        all failures.

    fs=fail;  fx=fail;  Domain has a SHOULD reject immediate policy for
                        unauthorized signatures and a MUST reject
                        immediate policy for failed and expired
                        signatures.


My point is simple, extended tags MUST be part of the protocol's 
extendability. If there is evidence with 100% sureness there going to 
be a significant compatibility problem with legacy software that can 
not be corrected, then the only option is a new DMARC version 2 
resource record.

I don't think we (I know I can't) can continue with DMARCbis without 
Extended Tag support and be hesitant to invent them because there is a 
compatibility problem.


-- 
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos