Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication
Alessandro Vesely <vesely@tana.it> Tue, 11 June 2019 15:12 UTC
Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2E27120181 for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 08:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKgauW8RdHgR for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 08:12:47 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A94041200E5 for <dmarc@ietf.org>; Tue, 11 Jun 2019 08:12:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1560265965; bh=bijkzUcB5Hz1nDjyvz9Tst9uFRLudjg9AQyuTEAihtU=; l=2703; h=To:References:From:Date:In-Reply-To; b=ASONCcQoTH8DrxIaDzWmsU3si5Md/tKLOyMi/TuqZb9+eMB6hTYeMvs2HaFYoUGlj JfKi6hU+4naE+Ppwpj973pnKNKDVHCvAyfNZ28FtkT9PQTKRy3tnhNuR5bHuoelkAD O0iO9RYKG70fyszYDHUos3UsnloM9bTI1iZOJ1FffoXZKmfuV9hEzs0HAi1bG
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by wmail.tana.it with ESMTPA; Tue, 11 Jun 2019 17:12:45 +0200 id 00000000005DC077.000000005CFFC4ED.00003196
To: dcrocker@bbiw.net, dmarc@ietf.org
References: <20190603142956.66B31120252@ietfa.amsl.com> <45cdc0da-5243-3a62-b217-8d5e4ea9ea11@dcrocker.net> <941abdbf28684283b972f69f25876220@bayviewphysicians.com> <5524dbb3-27ff-4aa8-aaf0-fc3a3fc23418@dcrocker.net> <1df2cc6b-c169-59ca-08f6-dadc06a702c6@tana.it> <1e096404-6b00-8896-0b79-841c243cacec@dcrocker.net>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00
Message-ID: <7f8692bb-6b80-455e-f030-731f3ae36b58@tana.it>
Date: Tue, 11 Jun 2019 17:12:45 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <1e096404-6b00-8896-0b79-841c243cacec@dcrocker.net>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/YSuBhu23z_BYlv62Sc0Apn_B6ng>
Subject: Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 15:12:50 -0000
On Mon 10/Jun/2019 22:17:01 +0200 Dave Crocker wrote:
> On 6/10/2019 1:17 AM, Alessandro Vesely wrote:
>> On Sat 08/Jun/2019 18:49:03 +0200 Dave Crocker wrote:
>>
>>> Except that most users don't actually see that address because these days most
>>> MUAs only display the display address.
>>
>>
>> We often came across this realization. Since DMARC hinges on that field, I
>> think the spec should include some advice to MUA implementation.
>
> Unfortunately there is no 'advice' to give that has any utility.
>
> If you feel otherwise, please try to formulate it, including the basis for
> believing it useful, and then try to get community support for it.
I'd propose bullets like the following for Section 12.4:
o In the MUA, it is safe to only show the display name if its
correspondence to the email address can be verified by looking it up in
the address book or similar storage. In case a display name compares
equal to one that corresponds to a different email address, such
discrepancy should be enhanced unless the two email addresses are
established to be equivalent to each other. Email addresses are
equivalent when they correspond to the same person, or to the same role
within a given organization, or, in practice, when the user says that
they are.
o The authentication status of the message should be visible.
>> A trust on first use (TOFU) approach would seem to be possible.
>
> In practical terms, what does that mean? Who does what, exactly?
A discrepancy can be enhanced by bold characters, by a pop-up, or by a beep and
an alert message. Anything but silently displaying a familiar name which
actually stands for something else.
A user can then arrange her address book so as to make it clear to the MUA that
a class of email addresses are equivalent to one another, in order to avoid
meaningless alerts.
>> Does this subject deserve a ticket?
>
> Since it has nothing to do with errors or problems with the current spec, I
> don't see how to justify a ticket.
Section 12.4 seems to have some problems. The first bullet should be reworked,
because it can be understood as suggesting that in cases like, for example:
From: "user@example.org via Bug Tracker" <support@example.com>
a _MUA_ should "execute the DMARC mechanism on the domain name found there
rather than the domain name discovered originally." That sounds nonsense,
first, because MUAs should rather base on A-R records added by the MX. Second,
because checking example.org rather than example.com, in the example, would
defeat the only workaround for indirect mail flows which seems to be working
thus far.
Best
Ale
--
- [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Seth Blank
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication John R. Levine
- Re: [dmarc-ietf] Mandatory Sender Authentication Hector Santos
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Dotzero
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- [dmarc-ietf] Display address, was Mandatory Sende… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Дилян Палаузов
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Stan Kalisch
- Re: [dmarc-ietf] Display address, was Mandatory S… Dotzero
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Kurt Andersen (b)
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely