Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
Brandon Long <blong@google.com> Tue, 21 July 2020 20:43 UTC
Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B2BA3A09E9 for <dmarc@ietfa.amsl.com>; Tue, 21 Jul 2020 13:43:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hff-BMJnQe6R for <dmarc@ietfa.amsl.com>; Tue, 21 Jul 2020 13:43:01 -0700 (PDT)
Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35EB63A09E8 for <dmarc@ietf.org>; Tue, 21 Jul 2020 13:43:01 -0700 (PDT)
Received: by mail-vs1-xe30.google.com with SMTP id e15so11121986vsc.7 for <dmarc@ietf.org>; Tue, 21 Jul 2020 13:43:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UVCJPhzddx0lRy4o+7J7hHqH8e5TZNGveW7yoqDDpYM=; b=dVK9y8TIybf35Xz4mt+nC6PK7LS06dg07Ch3Kj6WrGMSMAV1Vk7rYFQ0KqkGc1Kwp2 xzlbZN9+4ajdJJX3Rb4bZIdlApM5E+aSB6YoAxQbC7Qp7DtU935nF3vKI36OJ9jF9Kx8 Whcirg22NdGWcmcFSf+yRcwMo4JRjez0KS9pmAwGuJjWC4AJKJIfntnS5vF1AaCKokuB qzQkv0a4TS6sMJQHXp8Ju59PhAYz7NOsfVnTLbi1n8voDkwP1eeR6fn/ImZ+erZodZkv I0u1ORyIacC02S0soSvatdelRhULLHuhsweMmXA+zOYqc6loJkZtLJUoGTKF6k2StbRc QaNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UVCJPhzddx0lRy4o+7J7hHqH8e5TZNGveW7yoqDDpYM=; b=Mw5ppMSiOwxo7UyZKwMTotu6wyKyDZ5gvLmFKM5fnAob0OZgrlRjXBhtN21hfF+l8/ RXvfce/6mN9eZW88h37C6Oeqq1Qd1eaJSg1zNpN3E+12rnbpfNEjsphcmOIuwyHoEt9P 9wOoiFi9OVJGu39MMNaV02AqFRBeqA2/hsV2jcPF9STpgTL+rHKhVUsPmBZUH0yofvL4 rvIW4OscuzBp6yC93ycIRTv/k9lMaAVk5HBwOqD1QfNJOeBJ0VQx3NvlG+PIJYTznlFn bWcM6IXkDelinJH8qA/AxbruKvP/FU+mBdXQQtwZNEGyyfAIj6N6SIb3USIv1BPfgooA pVxw==
X-Gm-Message-State: AOAM53373NmLmFyq2LwLqAzyKeOCR1Zgb+f19sNXanokHdq9VL5Be31W 3227IYEtzYS5OhprepGNA/5GQ05tVBoGUp+LdL16
X-Google-Smtp-Source: ABdhPJx6d6HmY6iIF22z+voxFMtaOafcYQiDSLWcZYBoFEA1ZOVqDWC065sNa9IPBvFTna9Ftp3G4Fe7YXU7+GYGT8s=
X-Received: by 2002:a67:643:: with SMTP id 64mr22206885vsg.32.1595364179893; Tue, 21 Jul 2020 13:42:59 -0700 (PDT)
MIME-Version: 1.0
References: <bf5b68c74a3c487ca8a07a0a27061e47@com> <87zh7ur069.fsf@orion.amorsen.dk> <3829fac4748a48d0b752403450843bd5@bayviewphysicians.com> <c9353a06-ab31-c397-449e-7d36afbf655d@wisc.edu> <c2ad22cd-8b35-733f-bc4c-839e2c4b3e98@dcrocker.net> <CAJ4XoYf23gu4m7Zru2iq9SV-hYNCx6KFg4J7oTDpLpTcXFk7Rg@mail.gmail.com> <f2cd4931-9f61-2031-00bc-af9c460c15a3@bbiw.net> <CAJ4XoYf=XhaHKZpUjwoBJnLMwq_0LajTBWjJ01qjCaP7365E=w@mail.gmail.com> <2f231818-5c25-eca3-9db6-3af0fba7d5c8@gmail.com>
In-Reply-To: <2f231818-5c25-eca3-9db6-3af0fba7d5c8@gmail.com>
From: Brandon Long <blong@google.com>
Date: Tue, 21 Jul 2020 13:42:47 -0700
Message-ID: <CABa8R6t7Wsm88_qZ3k9w80xinNFoEtj3voY3y0ow=9+3csZofQ@mail.gmail.com>
To: Dave Crocker <dcrocker@gmail.com>
Cc: Dotzero <dotzero@gmail.com>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003b561a05aaf9abd2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/a1ZeSyR4GIWhyz9h6HmnjYPoFyc>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 20:43:03 -0000
On Tue, Jul 21, 2020 at 12:45 PM Dave Crocker <dcrocker@gmail.com> wrote: > On 7/21/2020 12:32 PM, Dotzero wrote: > > > > On Tue, Jul 21, 2020 at 2:06 PM Dave Crocker <dcrocker@bbiw.net> wrote: > >> On 7/21/2020 10:58 AM, Dotzero wrote: >> For this case, DMARC externalizes that internal personnel problem. >> >> But it does not fit the definition of "spoofing". >> >> Please note that I did noy use either the word "spoof" or "spoofing". > You wrote "MLM is authorized by the user". Someone without authority cannot > authorize. In this case the user externalized the problem, not DMARC. > > That's simple incorrect. > > I give you my credit card, telling you to use it only for gasoline > purchases while running errands for me. You take the car on a > cross-country joyride, running the cc charges for gasoline up. The > stations that charged the gas to the card did nothing wrong. The problem > is internal, between you and me. > > The MLM's did not do any spoofing. They acted appropriately, as they have > for 45 years. > > If the domain owner has a problem with the user's behavior, that's > internal, between the domain owner and the user. > > Using language that casts the MLM as doing something wrong is a > fundamental misrepresentation of the situation. > Yahoo Groups, at least at the time I worked on it, allowed moderators to edit the message before approval. The full scope of that certainly allowed the moderators to effectively spoof the poster. That said, sure, we're not talking about spoofing. We're talking about message changes that prevent strict signature verification. There is nothing in what MLM does that prevent much stronger changes than would be considered expected by the MLM. Stricter validation is not an uncommon addition to protocols over the last 45 years. I'd be curious when MLMs modifying the mail going through them became a thing, I guess I assume it wasn't 45 years ago, but I know it's irrelevant. Brandon
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- [dmarc-ietf] Response to a claim in draft-crocker… Kurt Andersen (IETF)
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker on behalf of Kurt Andersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] no from addresses nowhere, Respo… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Doug Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- [dmarc-ietf] DMARC marketing Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] DMARC marketing Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker