Re: [dmarc-ietf] ATPS, TPA-Label, etc.
Douglas Otis <doug.mtview@gmail.com> Mon, 21 July 2014 01:13 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56A591B2A95 for <dmarc@ietfa.amsl.com>; Sun, 20 Jul 2014 18:13:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQCIxo6ZddJB for <dmarc@ietfa.amsl.com>; Sun, 20 Jul 2014 18:13:40 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 194871B2A85 for <dmarc@ietf.org>; Sun, 20 Jul 2014 18:13:39 -0700 (PDT)
Received: by mail-wg0-f46.google.com with SMTP id m15so5623647wgh.17 for <dmarc@ietf.org>; Sun, 20 Jul 2014 18:13:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=8+minVqPlmWUD6IVq4X/1CV7yt4wKgrx0dUWwyVO9vI=; b=DNtVS7PKqF8a8hfM2uwnXgePWeKp3e/Ne4aRhium28VdR26GmcgYlNA6VCluuNOAod FJmfgPaE8sF0CNBAXpHUvD5Z00766cwPpzksA4OzY+pflAq8m/OMjF5knY5AS3FUwPh6 lTOzSs9KG/WNwGUvFbdd96V9ExoASvonzEz2lKD6J+FDwxKX0FxDAaHAwJjPWBy8TBYh OVBw9oYCN5xtAz++Y5GeZqArJdLeNY2KlamYQV/RAYE4pskNe+nOaHUnGfdci6ar0hdy VH44RYR5e4Qa2/wm8ATjNe7myozOkxBGK4mpFeMn2iNBfHpVIXAv6PMa7RKpUi7UNVDO E3nA==
X-Received: by 10.194.185.238 with SMTP id ff14mr18066181wjc.9.1405905218641; Sun, 20 Jul 2014 18:13:38 -0700 (PDT)
Received: from [192.168.11.129] (dhcp-8b54.meeting.ietf.org. [31.133.139.84]) by mx.google.com with ESMTPSA id eo4sm35962303wid.4.2014.07.20.18.13.36 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 20 Jul 2014 18:13:37 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_DC4536BB-9DFC-4AED-A5BE-3FB39AE095CD"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <CAL0qLwaii6BhUXuWm2ujORGjrLuQ6ANPiQ1M7wv3OZH4xkV-1w@mail.gmail.com>
Date: Sun, 20 Jul 2014 21:13:34 -0400
Message-Id: <BDDEDCEF-2E2F-40B4-8A62-E38610E5504A@gmail.com>
References: <CAL0qLwaii6BhUXuWm2ujORGjrLuQ6ANPiQ1M7wv3OZH4xkV-1w@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dmarc/Y6nAviprvOQvw7JGXgGkpHGNvqc
Cc: dmarc WG <dmarc@ietf.org>, Hector Santos <hsantos@isdg.net>, Douglas Otis <doug.mtview@gmail.com>
Subject: Re: [dmarc-ietf] ATPS, TPA-Label, etc.
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 01:13:43 -0000
Dear Murray, Thank you for responding. See comments inline: On Jul 20, 2014, at 3:55 PM, Murray S. Kucherawy <superuser@gmail.com> wrote: > [Changing Subject: to a new thread and dropping ietf@ietf.org, since this is not charter discussion] > > On Sun, Jul 20, 2014 at 12:27 AM, Douglas Otis <doug.mtview@gmail.com> wrote: > ATPS is not the "lite version" of TPA-Label. This is explained in > http://tools.ietf.org/id/draft-otis-tpa-label-04.html#rfc.appendix.C > > I disagree. I think that's exactly what it has turned out to be. > > ATPS requires DKIM signatures used by Third-Party Services to somehow determine different label encoding methods permitted by ATPS. ATPS also lacks any discovery or exchange method for this. In contrast, TPA-Label makes NO demands on third-Party services. None. Since there is only one encoding method, there is NO guesswork discovering the listing encoding method. > > There's no magic involved here ("somehow"? really?). The third-party selects a hash algorithm, or opts not to use one, and indicates this choice in the generated signature. The third-party service does not select the label hash algorithm as you seem to suggest. The Author's ADMD (also called just ADMD) will have independently published labels corresponding to various third-party services within the Author's ADMD's domain. Third-party services should not need to care about ATPS label encoding schemes. They should be allowed to carry-on with their normal verification methods without needing to discover and catalog a needless option. See http://tools.ietf.org/html/rfc6541#section-3 ,--- An authorized ATPS Signer makes a claim of this relationship via new tags in the DKIM signature, and the ADMD confirms this claim by publishing a specific TXT record in its DNS. '--- Requiring third-party services to change the process they use to allow recipients a means to validate their messages, which also requires discovering and cataloging label encodings used by each of the served Author Domains represents an unreasonable burden placed on third-party service providers. This is unreasonable because it offers no tangible benefit and needlessly changes and complicates third-party DKIM signature processing. The From domain is known. There is no need to introduce a new tag to clarify From domains. Secondly, by retaining a fixed hash, there is no reason to include a hash tag either. TPA-Label checks DMARC compliance only after the source of the message has been verified, at a minimum, as specified in the TPA-Label. Use of TPA-Labels is best done by adding a 'tpa' tag in the DMARC record for the From header field. A hash option represents a fairly significant federation deployment impediment. If a DMARC domain finds they are being DDoS by a particular third-party domain, they can publish a cacheable negative federation label to curtail most of the related traffic. TPA-Labels convey informal federations and carry no PII unlike SPF or DKIM. > The possible choices are enumerated in the specification. The verifier thus knows which hash (if any) was used. What this again misses are needless changes that must be made by those offering (often free) third-party services. > There is no discovery or exchange needed, since any DKIM implementation already includes support for all of the ones that ATPS specifies. This statement ignores what ATPS causes third-party service providers to face. Ideally, very few changes should be expected of third-party service providers. When there is a problem determined because DMARC is not being applied against messages they receive, TPA-Label provides a means to mitigate an abusive situation by requiring an OAR header field be added. > Claiming there's some kind of burden ATPS has that TPA-Label does not have is simply false. > > If this truly is a burden (which I seriously doubt), selecting one hash or the "none" option and removing the other choices from ATPS is certainly possible, but first I think I'd like to see some evidence that this is a pain point either for implementers or operators, or that it creates an interoperability problem. There are several other changes TPA-Label has made as well. In the end, TPA-Label and ATPS represent significantly different approaches. For example, TPA-Label does not depend on the use of DKIM and therefore provides greater verification agility and closer compliance with that of DMARC. > The extra processing is only done when DMARC indicates non-complaince where the DMARC domain can then indicate whether they have informally federated the domain in question and what if any additional information must be included in the message. In comparison, processing a new DKIM-ike signature involves greater overhead than that needed to obtain a TPA-Label resource which happens only after the domain in question has been validated. It seems TPA-Label represents far easier deployment and far less overhead since the Third-Party makes no change to their process and only a single, small, cacheable TPA-Label resource is provided by the DMARC domain. > > Both methods start from a place of non-compliance of the basic case, namely non-authentication by the author domain. ATPS requires that the third-party have signed with DKIM (and thus as we say, "taken some responsibility for") the message under evaluation; TPA-Label does not have this constraint by default, which means TPA-Label is cheaper to deploy. Cheaper yes; and no, TPA-Labels stipulate verification requirements for 'X' fully determined by the DMARC domain 'Y'. > However, I'm at a loss to understand why "X is an approved third-party for Y" is meaningful when neither of those identifiers are authenticated. The 'Y' domain publishes TPA-Labels having a hashed label and optionally a string matching with 'X'. Publishing confirms 'Y' federations. > If Y is a high-value target, then an attacker can merely claim to be X; without authentication, TPA-Label still approves this. No. TPA-Labels stipulate verification requirements for 'X' fully determined by the DMARC domain 'Y'. > "Just make X authenticate with DKIM," you say? Guess what, you're back to ATPS. How can a service be federated that only verifies with DANE TLS or SPF? TPA-Label permits this mode of verification. ATPS can't and, as such, is not fully compatible with DMARC. > All of the other options TPA-Label has about must have this header field or that one, or the value of this field must align with that one, are trivially satisfied by an attacker because the acceptance policy is made public, and I don't think they add any protection that isn't thus trivially defeated. They may help for a migration, for example, but not as an effective security mechanism against a bad actor. As was stated in TPA-Label, confirming these header fields provide recipients a safer message sorting strategy. Messages lacking these headers in conjunction with the From header field sourced from a particular domain can be rejected and therefore never seen. The goal is to make the From header field more trustworthy and the required additional headers and their content should represent a harmless but potentially beneficial criteria. Why wait for abuse to occur? > In terms of what's useful to DMARC, the ability to announce a third-party delegation approved by the author domain and authenticated by SPF is the only thing ATPS can't already do. And I'm not convinced that either of these methods is better than the ephemeral delegation idea. Anyway, all of that is for the working group to decide. > > Finally, Appendix C of the TPA-Label draft makes what I believe is a bogus claim about causes for the lack of ATPS adoption. The reason is far more general: Even though we made ATPS available for free, including deployment tools, there has never been any obvious evidence that a third-party mechanism is sufficiently secure, scalable, and above all, necessary. It is the main reason why TPA-Label, which is older than ATPS, has also seen no adoption to speak of. You have done great work, but you placed demands on those not likely to cooperate. In my view, a lack of response was more than understandable. Thank you for your feedback. It clarifies how we see this issue differently. My company would like to work with a large provider to prove TPA-Label operations at a large scale. There is still some work needed to define a federation request sent to the DMARC domain feedback. Regards, Douglas Otis
- [dmarc-ietf] ATPS, TPA-Label, etc. Murray S. Kucherawy
- Re: [dmarc-ietf] ATPS, TPA-Label, etc. Douglas Otis