[dmarc-ietf] DMARC: draft-crocker-dmarc-bcp-03
Douglas Otis <doug.mtview@gmail.com> Wed, 29 October 2014 00:25 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2D271A1B7E for <dmarc@ietfa.amsl.com>; Tue, 28 Oct 2014 17:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level:
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5RLmmjPRDJ93 for <dmarc@ietfa.amsl.com>; Tue, 28 Oct 2014 17:25:37 -0700 (PDT)
Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2253E1A1A29 for <dmarc@ietf.org>; Tue, 28 Oct 2014 17:25:37 -0700 (PDT)
Received: by mail-pa0-f47.google.com with SMTP id kx10so1912119pab.6 for <dmarc@ietf.org>; Tue, 28 Oct 2014 17:25:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:date:subject:to:message-id:mime-version; bh=eQ2MzYzielM8wYAxxLTygwKfp6zfvPGlqj/p7dGC6PY=; b=oqodIT2a9iYm84hbvc6SKF9Jb6LAryWK9EYDMDES1vSGxH+wqx1rs//GAT5FUXYn2y xc23p4v98yVhm0esovo9+sUb9gw4aIxadLSjdJJm4hF0cRjquxN1jGRlc8MMso8Qom53 rv6un4ODunel8X7Fo2L5OTNw5+UjOSm+Ot2znXH3F/LYT3OeQ5G2bp4EqORxPDeqbdFl Q1x45S+DovXI0X+1AAzpUL79rLpy5EAdADm8J0hPfB3kSeAIEIcS+4B072AigcAHeae9 pDE2FcSNFasYFEj+5R0UZzvcUfsnu45u02vHDNhbKiAst0RGaC8Bh0YhNR2WFacpHHEP 0mfA==
X-Received: by 10.66.248.104 with SMTP id yl8mr7070401pac.2.1414542336691; Tue, 28 Oct 2014 17:25:36 -0700 (PDT)
Received: from [192.168.2.225] (c-67-188-1-12.hsd1.ca.comcast.net. [67.188.1.12]) by mx.google.com with ESMTPSA id j11sm2651429pdk.76.2014.10.28.17.25.35 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 28 Oct 2014 17:25:36 -0700 (PDT)
From: Douglas Otis <doug.mtview@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7B4D528D-7981-4AFF-A4E2-8E2BA27E69DA"
Date: Tue, 28 Oct 2014 17:25:33 -0700
To: dmarc <dmarc@ietf.org>
Message-Id: <82363627-795A-45F3-85F3-3A6F7A161F20@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dmarc/_qwuebtGI_cBy5LfSXtT9mBPL8Q
Subject: [dmarc-ietf] DMARC: draft-crocker-dmarc-bcp-03
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 00:25:39 -0000
Dear DMARC WG, The draft-crocker-dmarc-bcp-03 repeats a mistake made in RFC5863 Section 5.4 which caused several large service providers to permit easy DKIM From spoofing. A problem one the authors of the DMARC base draft had not realized affected their own large deployment until fairly recently. This draft fails to highlight essential checks needed to augment otherwise unreliable Authentication Results. The tests described in section 10.1 of the DMARC base specification remains excluded from the DKIM signature verification process. This means a subsequent message process must include DMARC base section 10.1 checks entirely overlooked yet again in this bcp. While the informational RFC7103, Advice for Safe Handling of Malformed Messages offers informational advice, RFC5863 describing DKIM deployment also makes the same mistake in its Section 5.4 when suggesting DKIM can be used to avoid subsequent processing. Section 2.1.2 Runtime DMARC processing - Receiver side makes the same flawed recommendation as found in RFC5863 Section 5.4 which neglects a flaw in the DKIM signature verification process affecting DKIM result validity as required to properly enforce DMARC or to bypass additional checks. It seems the general view is that such checks must happen at a lower level, although neither RFC5321 nor RFC6376 Section 8.15 made format compliance an acceptance requirement. In the case of RFC5321, a store-and-forward strategy would need to negotiate minor format changes as occurred with RFC6854 for example. No harm would have occurred if RFC6376 ensured valid signature results had valid formats and can be implemented via software switch in OpenDKIM. This change was largely overlooked in the DMARC base draft in until an overly vague mention in 10.1 which ignores its use when handling international email addresses. Group syntax still permits a single address, and could be used to safely signal a non-compliant source which might be confirmed by other means, for example. Once again, a need to evolve a format specification remains overlooked. DMARC continues to lack any visible means for making often needed exceptions, which remains a serious flaw unless it can be overcome by a domain explicit exception strategy. RFC5321 Section 3.3. Mail Transactions "When the RFC 822 format ([RFC 822], [RFC 5322]) is being used, the mail data include the header fields such as those named Date, Subject, To, Cc, and From. Server SMTP systems SHOULD NOT reject messages based on perceived defects in the RFC 822 or MIME (RFC 2045) message header section or message body. In particular, they MUST NOT reject messages in which the numbers of Resent-header fields do not match or Resent-to appears without Resent-from and/or Resent-date." (The footnotes have been expanded to clarify a reference to RFC 822 includes all versions up to and including RFC 5322) Minor notes: Section 3.3 makes a reference to .blah.com which is a Brazilian web site merging social network messaging. This should be converted to example.com. Section 7.3. Use and Reporting of Local Policy Overrides has receivers reporting back to the DMARC domain why a policy assertion was ignored. Since DMARC lacks any mechanism (say outside that of something like TPA-Label) the DMARC domain is unable to benefit those issuing such feedback, since they are still obliged to discover needed exceptions from other sources. What is their motivation for offering override feedback? Regards, Douglas Otis
- [dmarc-ietf] DMARC: draft-crocker-dmarc-bcp-03 Douglas Otis