IETF Logo Mail Archive

[dmarc-ietf] Clarifying the value of arc.closest-fail

"Kurt Andersen (b)" <kboth@drkurt.com> Tue, 02 January 2018 17:34 UTC

Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 328A6126DEE for <dmarc@ietfa.amsl.com>; Tue, 2 Jan 2018 09:34:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8HNJtZPQyvW for <dmarc@ietfa.amsl.com>; Tue, 2 Jan 2018 09:34:55 -0800 (PST)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0372124E15 for <dmarc@ietf.org>; Tue, 2 Jan 2018 09:34:54 -0800 (PST)
Received: by mail-lf0-x233.google.com with SMTP id h140so5568100lfg.1 for <dmarc@ietf.org>; Tue, 02 Jan 2018 09:34:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:from:date:message-id:subject:to; bh=PkskD5Op+AjDKZErlw5JMHTNnfRSiYRLBFtm2TQqJrc=; b=ci27xjTvKN0wn+34D1L4l4jmKYCFikhWWlUKdDrayc7qKrdNF8zZgBiNjDkMK6ESRk mVXZp0ETufOB/Nc6OPYgj1mcAggGhYNbc1yP3H4KVAKociGYA0molVwqSjHrrBHyflMv +N2WrwKGVsp+omYVo1bNU9sn1g8EWZTelQrp8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=PkskD5Op+AjDKZErlw5JMHTNnfRSiYRLBFtm2TQqJrc=; b=cHO+Wb2Bl0aNMGoghloA0vE6OeVPYSHviPkyvDW84giyE053n20+Ksw6iw12Ss8/CL sZgws6cO57rzyp8jiFSQelvRjqV1B7Jycofr4EUHZwIYB0Uj/E6OtNpr1uvcG4JGYA++ NbTVOIWyv1hJaDXZGHdCCKapXuJABCmid38Xp4u1L1UDqRpBbj8IKP4I+i+jLKoTGFBX NUf3zcXJ7eiAJtTniwNXTLyHJ9GkcpgAlCeKfWZheXFvxbzVFLtVo6O+jOMzfBm2YWvK ozp0NvKeoBhcruOFqBvEq+nfVps3z15x10PL5BXbBvN3N2EG5AXctOSSTddckwhbo5ve Gx+A==
X-Gm-Message-State: AKGB3mJJvSQsSQQJ8cbrveGVrHd3MGMvWnlA7T3sTM/gJ5LdW5SpKTtL Us7SIBGBMolALTGmJCbNwkRhXyo815uiIjeDB3aM8riwOBE=
X-Google-Smtp-Source: ACJfBotiA9Bqfxn6JRhu2U3a5aQbUlkEg8FUFEW1CNT27Gepu83W/iMxCTjkepZ0mKyujlalXNYkr2jjcuxXsWiGLfw=
X-Received: by 10.25.233.25 with SMTP id g25mr24730252lfh.101.1514914492357; Tue, 02 Jan 2018 09:34:52 -0800 (PST)
MIME-Version: 1.0
Sender: kurta@drkurt.com
Received: by 10.25.56.11 with HTTP; Tue, 2 Jan 2018 09:34:51 -0800 (PST)
From: "Kurt Andersen (b)" <kboth@drkurt.com>
Date: Tue, 02 Jan 2018 17:34:51 +0000
X-Google-Sender-Auth: skfbrAcNipQu0xUlXaKY7CJ6WwA
Message-ID: <CABuGu1pBqv9uPQg7_XR42cUCE4x4rWbN2hgxx7ZAbWugHT6zkg@mail.gmail.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="001a113c3c542eb5f10561ce847d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/_sG6ECCBfT5OPQ0LkDThzcGPHGI>
Subject: [dmarc-ietf] Clarifying the value of arc.closest-fail
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2018 17:34:57 -0000

As I went through the edits for
https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-5.2.1
I was unable to understand the value added by having the "arc.closest-fail"
listed in the AAR.

Looking back through the list archives, the idea for this pvalue seems to
have come up in mid-August, captured in this snippet:

On Wed, Sep 6, 2017 at 4:02 AM, Bron Gondwana <brong@fastmailteam.com>
 wrote:

> On Wed, 6 Sep 2017, at 07:52, Seth Blank wrote:
>
> On Mon, Aug 14, 2017 at 5:12 PM, Bron Gondwana <brong@fastmailteam.com>
> wrote:
> > That seems like it would be enough to fix that objection.  An additional
> "first AMS failure" header at each hop would give you a list of who
> actually modified the message.
>
> arc.closest_fail has been defined to accomplish this.
>
> That looks great.  It adds enough information that my other questions are
> basically efficiency concerns, which are not nothing, but at least ARC
> signing doesn't make things worse...
>

It seems that Bron is advocating a change in the verify process where by
all AMS signatures would have to be checked rather than just the most
recent one. Going through the archives showed me that the language in 5.2.1
should say "...the most recent AMS that fails to validate..." rather than
"...the most recent AS that fails to validate..." but then the verifier
actions would also need to be updated in section 6 (steps 3+). If we are
only concerned with changes in the body of the message which are being
introduced by intermediaries, it seems like we could just check for changes
in the bh value between hops rather than requiring each verifier to walk
(possibly) the whole list of AMS headers.

Does this provide enough "bang for the buck" to make it worthwhile? or
should we cut out this field?

--Kurt

v2.23.0 | Report a Bug | By Email