IETF Logo Mail Archive

Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries - Effort and Policy

"Murray S. Kucherawy" <superuser@gmail.com> Tue, 19 May 2015 01:18 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D99D91B2C83 for <dmarc@ietfa.amsl.com>; Mon, 18 May 2015 18:18:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kf5a_nDe3NR2 for <dmarc@ietfa.amsl.com>; Mon, 18 May 2015 18:18:18 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DC8A1ACE93 for <dmarc@ietf.org>; Mon, 18 May 2015 18:18:18 -0700 (PDT)
Received: by wibt6 with SMTP id t6so3435222wib.0 for <dmarc@ietf.org>; Mon, 18 May 2015 18:18:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=w+etWsDHA1UL6Q7Y5C9P8onlALIgIL/VZVT0ufHKi1k=; b=rn5PisWLJfpPWGZ0+43yQpxFE33J8wRc8Fx4DaewXbzw6lnvC8Llo+Z1I3k07x5JKv g7bQ6oEIV51lbkJ57TXLFKtX1t993mg5HhDzGyyYmMAR2Fol/jZHPBoKpkcsKT+HV/Kk zL8i7itFMkTDpasV5G8JjngQavZbxIu9v9N3zZSs/A6Hag0RcP3SROYwW4e0fdi0mEPe hfpdL1TfF+o6dgJxL5utNJzQ3DqPFg2w4M672aH0sXsLmFZlxJd9JfNj5yWkuIuLB1Ak ee1KLcLNnIPPhykQgSdCi+veAF1LYmXQLQv7Ht/thy1HT6xEjBbLaBNambj1DIsLJL2E Sj2Q==
MIME-Version: 1.0
X-Received: by 10.194.174.68 with SMTP id bq4mr33201389wjc.4.1431998296730; Mon, 18 May 2015 18:18:16 -0700 (PDT)
Received: by 10.27.170.134 with HTTP; Mon, 18 May 2015 18:18:16 -0700 (PDT)
In-Reply-To: <BL2SR01MB605A700BA2C4C0775AC71DA96C30@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
References: <555656FC.5010609@dcrocker.net> <CAL0qLwZSG_X-sfcZHPaYxvbdFg9K8bFsLMO2KhGczOnxgVqkkw@mail.gmail.com> <BL2SR01MB605A700BA2C4C0775AC71DA96C30@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
Date: Mon, 18 May 2015 18:18:16 -0700
Message-ID: <CAL0qLwaLT3KPVFtobLO2PfSXkhRSn0BPojmOZwMqDytbNVt-DA@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: Terry Zink <tzink@exchange.microsoft.com>
Content-Type: multipart/alternative; boundary="089e01493680cbb203051665153b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/WQNRhqdUjM5Kut0BWzENx8aJSO8>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>, Dave Crocker <dcrocker@bbiw.net>
Subject: Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries - Effort and Policy
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 01:18:21 -0000

On Mon, May 18, 2015 at 5:36 PM, Terry Zink <tzink@exchange.microsoft.com>
wrote:

>  > I've implemented it now in libopendkim as a compile-time experimental
> feature,
> > and it took me about four hours including testing.  I just have to add
> it to the plugin
> > that uses the library, and it'll be available for others to play with.
>
>
>
> Can you give an example of what the stamped headers will look like?
>

Ideally on receipt by a list subscriber, the message would have the
following DKIM signatures:

DKIM-Signature: v=1; d=authordomain.example; s=selector; ...
DKIM-Signature: v=2; d=authordomain.example; s=selector; !cd=mlm.example;
l=0; ...
DKIM-Signature: v=1; d=mlm.example; s=foobar; ...

Things of note:

1) I changed "@fs" to "!cd" versus what John specified.  I prefer "!"
because we're calling that a "mandatory tag", and "cd" stands for
"conditional domain" rather than "forward signature".  Mostly personal
preference, but I'd argue they're more correct (for some value thereof);
I'll change them to wherever consensus lands if we decide we want to adopt
this proposal.

2) I understand there's unresolved debate about updating "v=".  I'll
conform to that too when we make a decision.

3) The choice to do a weak signature using "l=0" was merely exemplary.
There are other choices, like which header fields to sign or use of
"l=<original-length>", that can result in something weaker without being
that wide open.

4) Similarly, I didn't set an expiration on the !cd signature, but should.

5) I've actually listed the signatures above in the opposite order I'd
expect to see them on receipt.

6) The theory is that even if the author signature fails, the conditional
author signature would be more likely to pass but is not valid without the
MLM signature.  libopendkim would report this to the caller as valid in the
crytpo sense, but also note that the condition was not satisfied, so
there's an error code associated with it.

7) Ultimately the caller sees all three signatures and their respective
results.  If the original author signature survived, it's available to
influence message disposition as well as the others.

-MSK

v2.43.4 | Report a Bug | By Email | System Status