Re: [dmarc-ietf] Genart last call review of draft-ietf-dmarc-psd-08

John Levine <johnl@taugh.com> Fri, 10 April 2020 16:33 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2C4B3A0842 for <dmarc@ietfa.amsl.com>; Fri, 10 Apr 2020 09:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.852
X-Spam-Level:
X-Spam-Status: No, score=-1.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=P/e+ICn4; dkim=pass (1536-bit key) header.d=taugh.com header.b=KsFKbEng
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzzZNSMxSUfg for <dmarc@ietfa.amsl.com>; Fri, 10 Apr 2020 09:33:15 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96D913A07A2 for <dmarc@ietf.org>; Fri, 10 Apr 2020 09:33:15 -0700 (PDT)
Received: (qmail 77076 invoked from network); 10 Apr 2020 16:33:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=12d10.5e909fc9.k2004; bh=UuN7ldh1NhqHqumbMKVJX3vmqG4nmbKXB2XfrogctmI=; b=P/e+ICn4GTmLBqHmMrU4Q56Hgm2lUZZ0Y9Lryh3HZ8owF8l6HgLjEemj5wDG2qs8jBPki2DB1iziytymoXKMXMfhJNOZcEfF0XLz15s3qBtGLc1YeDjuimCJNfFFhRMBE4cSanVDYK3Cpi11TLn1nPh4VjONSJYc+FwV5zm+HRIZ9jnbl76H05a1qHtw+qKNMB3LqRsGQ807i0SS0PuJTiyPlWK6FCZccmAbVIZgzHYFGc6dGT4/ufnWceig7dyO
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=12d10.5e909fc9.k2004; bh=UuN7ldh1NhqHqumbMKVJX3vmqG4nmbKXB2XfrogctmI=; b=KsFKbEng5ZQUEN6jAE1mQ+Jm+nQ4Id/ltQ7IUUTuswhdFy9Wk0B+jM9CrBjAKt+EewBh2TNULWXNx8cRxXCwwbzbUtoQMmU+LKQMxQfZ9rip1acU3uxtccHEweoAgm/V8DrAXE68aZUKiVpmk1zP4T0WXKdPj/Kk/Z3mfQd6FlB7HiwfxXKKkcxaE7TflVMZKAQ2G4OQuZaWR9UjnhD792gBttSz+M/uplCWiM6atGHFDKZTa+II6MubXAjZ/yuc
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 10 Apr 2020 16:33:13 -0000
Received: by ary.qy (Postfix, from userid 501) id 850961769BE6; Fri, 10 Apr 2020 12:33:13 -0400 (EDT)
Date: 10 Apr 2020 12:33:13 -0400
Message-Id: <20200410163313.850961769BE6@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
Cc: toddmherr@gmail.com
In-Reply-To: <CA+Wg=gsS0U-cW8TAFhJw9yQrCP7K-8gjGGDhg1sighiBc5JrgQ@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/YzUEZB_n8x5-69z8jctf4hFuXNc>
Subject: Re: [dmarc-ietf] Genart last call review of draft-ietf-dmarc-psd-08
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2020 16:33:18 -0000

>Dale twice in his comments expresses doubt that it's possible for anyone to
>know all PSDs; the mention of a specific PSL in the abstract was an attempt
>to answer those doubts.

This kind of stuff drives me nuts since it suggests the reviewer isn't
familiar with all of the other stuff that has the same issue.

Plan A:

This is essentially the same problem that affects browser supercookies
or signing wildcard SSL certificates, both of which have been in
production for many years.  It's not a new problem, there are
approximate solutions and it doesn't have to be perfect to be useful.

Plan B:

Major rewrite: Define PSD as Policy Super Domain.  Say that the PSD is
defined as the domain one up from the Org domain, see RFC 7489, full
stop.  Do not offer any other suggestions about how to find it, do not
mention the PSL -- you've already got the org domain, one snip and
you're done.  Take out all of the public suffix stuff.

If you want, you can add another informative paragraph that says that
Policy Super Domains often have legal or contractual relationships
with their child org domains so this can be useful to express policies
intended to apply to all of their org domains, perhaps with shorter
versions of the .bank or .gov.uk examples, but don't go very far,
since it's not part of the definition and especially don't mention the
PSL or use the phrase public suffix.

I'd suggest plan B since people will otherwise be complaining about
the PSL forever, even though we're already stuck with it for org domains.

R's,
John