[dmarc-ietf] Clarifying the value of arc.closest-fail
"Kurt Andersen (b)" <kboth@drkurt.com> Tue, 02 January 2018 17:34 UTC
Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 328A6126DEE for <dmarc@ietfa.amsl.com>; Tue, 2 Jan 2018 09:34:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8HNJtZPQyvW for <dmarc@ietfa.amsl.com>; Tue, 2 Jan 2018 09:34:55 -0800 (PST)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0372124E15 for <dmarc@ietf.org>; Tue, 2 Jan 2018 09:34:54 -0800 (PST)
Received: by mail-lf0-x233.google.com with SMTP id h140so5568100lfg.1 for <dmarc@ietf.org>; Tue, 02 Jan 2018 09:34:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:from:date:message-id:subject:to; bh=PkskD5Op+AjDKZErlw5JMHTNnfRSiYRLBFtm2TQqJrc=; b=ci27xjTvKN0wn+34D1L4l4jmKYCFikhWWlUKdDrayc7qKrdNF8zZgBiNjDkMK6ESRk mVXZp0ETufOB/Nc6OPYgj1mcAggGhYNbc1yP3H4KVAKociGYA0molVwqSjHrrBHyflMv +N2WrwKGVsp+omYVo1bNU9sn1g8EWZTelQrp8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=PkskD5Op+AjDKZErlw5JMHTNnfRSiYRLBFtm2TQqJrc=; b=cHO+Wb2Bl0aNMGoghloA0vE6OeVPYSHviPkyvDW84giyE053n20+Ksw6iw12Ss8/CL sZgws6cO57rzyp8jiFSQelvRjqV1B7Jycofr4EUHZwIYB0Uj/E6OtNpr1uvcG4JGYA++ NbTVOIWyv1hJaDXZGHdCCKapXuJABCmid38Xp4u1L1UDqRpBbj8IKP4I+i+jLKoTGFBX NUf3zcXJ7eiAJtTniwNXTLyHJ9GkcpgAlCeKfWZheXFvxbzVFLtVo6O+jOMzfBm2YWvK ozp0NvKeoBhcruOFqBvEq+nfVps3z15x10PL5BXbBvN3N2EG5AXctOSSTddckwhbo5ve Gx+A==
X-Gm-Message-State: AKGB3mJJvSQsSQQJ8cbrveGVrHd3MGMvWnlA7T3sTM/gJ5LdW5SpKTtL Us7SIBGBMolALTGmJCbNwkRhXyo815uiIjeDB3aM8riwOBE=
X-Google-Smtp-Source: ACJfBotiA9Bqfxn6JRhu2U3a5aQbUlkEg8FUFEW1CNT27Gepu83W/iMxCTjkepZ0mKyujlalXNYkr2jjcuxXsWiGLfw=
X-Received: by 10.25.233.25 with SMTP id g25mr24730252lfh.101.1514914492357; Tue, 02 Jan 2018 09:34:52 -0800 (PST)
MIME-Version: 1.0
Sender: kurta@drkurt.com
Received: by 10.25.56.11 with HTTP; Tue, 2 Jan 2018 09:34:51 -0800 (PST)
From: "Kurt Andersen (b)" <kboth@drkurt.com>
Date: Tue, 02 Jan 2018 17:34:51 +0000
X-Google-Sender-Auth: skfbrAcNipQu0xUlXaKY7CJ6WwA
Message-ID: <CABuGu1pBqv9uPQg7_XR42cUCE4x4rWbN2hgxx7ZAbWugHT6zkg@mail.gmail.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="001a113c3c542eb5f10561ce847d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/_sG6ECCBfT5OPQ0LkDThzcGPHGI>
Subject: [dmarc-ietf] Clarifying the value of arc.closest-fail
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jan 2018 17:34:57 -0000
As I went through the edits for https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-5.2.1 I was unable to understand the value added by having the "arc.closest-fail" listed in the AAR. Looking back through the list archives, the idea for this pvalue seems to have come up in mid-August, captured in this snippet: On Wed, Sep 6, 2017 at 4:02 AM, Bron Gondwana <brong@fastmailteam.com> wrote: > On Wed, 6 Sep 2017, at 07:52, Seth Blank wrote: > > On Mon, Aug 14, 2017 at 5:12 PM, Bron Gondwana <brong@fastmailteam.com> > wrote: > > That seems like it would be enough to fix that objection. An additional > "first AMS failure" header at each hop would give you a list of who > actually modified the message. > > arc.closest_fail has been defined to accomplish this. > > That looks great. It adds enough information that my other questions are > basically efficiency concerns, which are not nothing, but at least ARC > signing doesn't make things worse... > It seems that Bron is advocating a change in the verify process where by all AMS signatures would have to be checked rather than just the most recent one. Going through the archives showed me that the language in 5.2.1 should say "...the most recent AMS that fails to validate..." rather than "...the most recent AS that fails to validate..." but then the verifier actions would also need to be updated in section 6 (steps 3+). If we are only concerned with changes in the body of the message which are being introduced by intermediaries, it seems like we could just check for changes in the bh value between hops rather than requiring each verifier to walk (possibly) the whole list of AMS headers. Does this provide enough "bang for the buck" to make it worthwhile? or should we cut out this field? --Kurt
- [dmarc-ietf] Clarifying the value of arc.closest-… Kurt Andersen (b)
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Bron Gondwana
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Kurt Andersen (b)
- Re: [dmarc-ietf] Clarifying the value of arc.clos… John Levine
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Seth Blank
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Kurt Andersen (b)
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Seth Blank
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Bron Gondwana
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Bron Gondwana
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Kurt Andersen (b)
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Seth Blank
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Murray S. Kucherawy
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Murray S. Kucherawy
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Bron Gondwana
- Re: [dmarc-ietf] Clarifying the value of arc.clos… Kurt Andersen (b)