[dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
Seth Blank <seth@sethblank.com> Wed, 25 July 2018 21:34 UTC
Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 583F31277C8 for <dmarc@ietfa.amsl.com>; Wed, 25 Jul 2018 14:34:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NtM_wXSir459 for <dmarc@ietfa.amsl.com>; Wed, 25 Jul 2018 14:34:25 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C14612777C for <dmarc@ietf.org>; Wed, 25 Jul 2018 14:34:25 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id y207-v6so16509723oie.13 for <dmarc@ietf.org>; Wed, 25 Jul 2018 14:34:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=qQuINTFCGWK/qYWp788cQAl5Lbv33kkgvm0+s53QirY=; b=lcm43fabB2NaYdN0eRVFAtZIZ7DyAM6eoo+hWEpUUvFrCLKPTpty1LxVQSYfzgz4du uXxbE0hCIQGTjTmI6iyEJ77yquP/xxfkaqbh7d1a7kzAI0Dd45WF77gL8TV3yLCbQLke I1gAhyKhAtvKrMBWJqJLV4SKiYg/Q5QLa8e666AXLw1kZxE7Kw6ELVlss93cCuWrSMo3 TaqMQySVZwAQS0kKIPtW344bX68cnRDnRQRN+8nXg66qZULgmBPp0ymvEnC8Ne9KzQiR P8XSH//8DJXyfxVhg4g4N5st9Co/D18ABXkiIO/vY70exQMKt0uf/iDwT2vKUxLbgHda /bnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qQuINTFCGWK/qYWp788cQAl5Lbv33kkgvm0+s53QirY=; b=N3sTGkM+6x/inm/OplMalhjS7PvYuM4KSKwO5ABC9BThXr9YXQdI+iNFNzksvQ6Zjs bUB6rlwbHSGACxs+1Tog9BGOs6Q/RTsu4MdaYwagDbs90K3Nneo+VX8E+A2hDI78yQp3 rzdgQvzXEWhu4kuWbzuKfRw0XcZj5HxX49GFAtfO8USHugGqqGbgvGtxUOv1K/uGfCW8 H9mPhkPujppQB+sBpQKOVkp9nydQdbA2aXEov0bv0kQg+pjfgFOwz313LAwaG7bndgEm DVDfzA/zU9/DoTtRDAUn07osqD960XRdELLKVyuis4r+k2/JRiJC9fkWDrKKYQdJRCrg MQtg==
X-Gm-Message-State: AOUpUlFvBz+Y3xmpxxfP5HQHSzH+xl1rpHmZN1jpYPU6phmHUSOHEIL8 lbhTgoQWIqRyYPb7gIrXAJyvZgyi9PgpQT4NaIgTOjPBiQ/PsA==
X-Google-Smtp-Source: AAOMgpfsnnsOapGYHP72NbhPxKufXSWoVPnru7IDdEMyJFOo6pRs4c9gbksWohFTnkZnbSIEdWko9i1wkX7dNrggWbs=
X-Received: by 2002:aca:d088:: with SMTP id j8-v6mr5343917oiy.276.1532554464206; Wed, 25 Jul 2018 14:34:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:2646:0:0:0:0:0 with HTTP; Wed, 25 Jul 2018 14:34:03 -0700 (PDT)
From: Seth Blank <seth@sethblank.com>
Date: Wed, 25 Jul 2018 14:34:03 -0700
Message-ID: <CAD2i3WMMJPaZYonS-qcz8pwOKYmS2Xe+8WBZPuAqjiGoYePzSg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000070476e0571d9a441"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ZXw_6xNsexXmfC0K-ctjWkg2xQ0>
Subject: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 21:34:29 -0000
https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-16#section-5.1.2 Originally, even in the event of a chain validation failure, the Sealer's ARC-Seal would sign all ARC header fields on the message. When we introduced the concept of cv=invalid last year, the advice was to only sign your own ARC Set, because there was no deterministic way to know which header fields to sign when those ARC header fields were not properly intact (the definition of invalid). We then decided to abandon the cv=invalid path and only have cv=fail. Somehow, in the current doc this advice for invalid chains now applies to all chain failures. Section 5.1.2's title even mentions it is for the invalid case, but the text as written applies to all failed chains. Without the ARC Seal covering the ARC header fields in the failing chain, all the data in the failed chain can be modified as it is not covered under the latest signature. The proper guidance should be that the ARC-Seal MUST sign the ARC Chain in its entirety, unless that is structurally impossible, in which case it should only sign itself. I believe the proper text for this section (replacing the first paragraph for 5.1.2 in its entirety) should be: In the event that it is not possible to generate a deterministic list of previous ARC Sets to sign (such as when the chain undergoing validation is structurally invalid), the signature scope of the AS header field b= value MUST only include the latest ARC Set headers as if this newest ARC Set was the only set present.
- [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Luis =?utf-8?q?Mu=C3=B1oz?=
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Bron Gondwana
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Bron Gondwana
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… John Levine
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… John R Levine
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Brandon Long
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… John R Levine
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Brandon Long
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Brandon Long
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Kurt Andersen (b)
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Dave Crocker
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Kurt Andersen (b)
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Dotzero
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Dave Crocker
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… John Levine
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Seth Blank
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Dave Crocker
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… John R Levine
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Dave Crocker
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… John R Levine
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Dave Crocker
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Brotman, Alexander
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Kurt Andersen (b)
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… John R Levine
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Hector Santos
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Kurt Andersen (b)
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… John Levine
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… Kurt Andersen (b)
- Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5… John R Levine