Re: [dmarc-ietf] Ticket #42 - Expand DMARC reporting URI functionality

Alessandro Vesely <vesely@tana.it> Thu, 03 December 2020 19:30 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A89DF3A08D4 for <dmarc@ietfa.amsl.com>; Thu, 3 Dec 2020 11:30:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZEqy1QJupSGz for <dmarc@ietfa.amsl.com>; Thu, 3 Dec 2020 11:30:23 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AE243A08AB for <dmarc@ietf.org>; Thu, 3 Dec 2020 11:30:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1607023820; bh=X1BQI5R11dL8oMmWa+CGCoXx9DwaViGriA8oU+CDWdg=; l=3275; h=To:References:From:Date:In-Reply-To; b=BJ2pytBgHUnXfrPaoTgQrxc8O/zvBu0lKUlVbl/ASZVcFgfnEwvMCpZDazGmbmJKP /epgRjgt8QAtgIBP87KAtwnD5Ve95Iul/CIlOXZfkh3N+lIcKrAQJ3sSS3YbwdmHRd yL1EnNqs2KXSXSO26KdOiKzCP2UGa50nDRTcmCmivHtcMTV+uF9X2tqolQhwl
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC03D.000000005FC93CCC.00002877; Thu, 03 Dec 2020 20:30:20 +0100
To: John R Levine <johnl@taugh.com>, dmarc@ietf.org
References: <20201202233432.D45FB28E1943@ary.qy> <f719b86d-9a7d-f865-3e16-10eaf35e0de0@tana.it> <479cfb50-b98e-fbbe-e7ce-375557cd624@taugh.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <f406f70b-3f98-a8fd-db9d-956c000f5c68@tana.it>
Date: Thu, 3 Dec 2020 20:30:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <479cfb50-b98e-fbbe-e7ce-375557cd624@taugh.com>
Content-Type: text/plain; charset=us-ascii
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/bTW0Ma0KkRSrU_ndE56WLNVdLKM>
Subject: Re: [dmarc-ietf] Ticket #42 - Expand DMARC reporting URI functionality
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 19:30:25 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Thu 03/Dec/2020 18:08:50 +0100 John R Levine wrote:
>>> When this came up before someone said that reports can be extremely
>>> large, many megabytes.  An HTTP POST or PUT is a much better way to send that.
>>
>> However faster, an https PUT/POST at midnight arrives later than a mailto at 
>> midday.
> 
> I'm sorry but this makes no sense at all.

I said so because you said https is faster.  The spec is unclear about intervals, but this is matter for another ticket.


> Why do you believe that people would not send reports by mail and by https
> at the same time?

Oh my.  Hadn't thought about that.  It will certainly cause duplicates.


>> Yes, PUT is better than POST.
>>
>> How about pgp-signing the file with the dkim key?
> 
> Sorry, that doesn't make any sense either.  DKIM keys and PGP keys are 
> different.

Hm... let me try and sign this message.

$ cat delta.private | PEM2OPENPGP_USAGE_FLAGS=sign pem2openpgp "Delta selector <postmaster@tana.it>" | gpg --import

Now I have:
sec   rsa1148 2020-12-03 [SC]
      500982D49712C507C236B2D6B8ABBBF9A091CC0D
uid           [ unknown] Delta selector <postmaster@tana.it>

$ gpg -u 500982D49712C507C236B2D6B8ABBBF9A091CC0D --clearsign < this text


Can you verify it?  I cannot find how to transform the delta selector public key into a pgp public key block.

That is to transform this:

$ eval $(digs delta._domainkey.tana.it txt |sed -rn -e 's/^"//' -e 's/" *"//g' -e 's/"$//p') && printf -- '-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----\n' "$(echo $p |base64 -d |base64)"
- -----BEGIN PUBLIC KEY-----
MIGuMA0GCSqGSIb3DQEBAQUAA4GcADCBmAKBkA5YMrfcQD3kzCQJFRXLatbXbl6h07EE1TrJOVp9
4EeBV50QFuBIk0igZgPTA39O77mUyNii81hD4q2g9/Hoj9asqQHTTKjqk+gwZWC+X46K5BYSRPTC
C9sidg20Laubyn0ATGaz+OyIl4JcE2rsEXwXLJ98OFEaa3gWyUVO9+lNwebs932bOtHbM2YpzJzE
PQIDAQAB
- -----END PUBLIC KEY-----

To this:

$ gpg  --export --armor 500982D49712C507C236B2D6B8ABBBF9A091CC0D\!
- -----BEGIN PGP PUBLIC KEY BLOCK-----

mJ0EX8kn8gEEfA5YMrfcQD3kzCQJFRXLatbXbl6h07EE1TrJOVp94EeBV50QFuBI
k0igZgPTA39O77mUyNii81hD4q2g9/Hoj9asqQHTTKjqk+gwZWC+X46K5BYSRPTC
C9sidg20Laubyn0ATGaz+OyIl4JcE2rsEXwXLJ98OFEaa3gWyUVO9+lNwebs932b
OtHbM2YpzJzEPQARAQABtCNEZWx0YSBzZWxlY3RvciA8cG9zdG1hc3RlckB0YW5h
Lml0PojgBBMBCAA6FiEEUAmC1JcSxQfCNrLWuKu7+aCRzA0FAl/JJ/ICGwIGCwkI
BwMCBxUKCQgLAwIEFgIDAQIeAQIXgAAKCRC4q7v5oJHMDfCfBHwKlNsrYbL+8uyb
y1RBhP/epV0M9xTji9J4Tg2dHcZLgkq9odH7LbOBMuVlZxQ6ksJEVmh131CHHPCr
/GmmQpsrxvpo0b5hXKRYTDqemwyvqNtWAMJpW4bLZ4XAy9c6fSICsXdfm8azKE8J
jZeHlnxMnvqhctQXTFSeJ+Ijnyn2ZC31V5J2ZzCfXSpY/fxoteo=
=KJkG
- -----END PGP PUBLIC KEY BLOCK-----

> It is hypothetically possible to sign an http transaction with DKIM

Any example?

 
> but that would be a giant distraction from what we're doing here.

Should be optional, like DKIM-signing aggregate reports sent by mailto.


Best
Ale
- -- 


-----BEGIN PGP SIGNATURE-----

iMMEAQEKAB0WIQRQCYLUlxLFB8I2sta4q7v5oJHMDQUCX8k7GgAKCRC4q7v5oJHM
DbyaBHwJ7JddtR6f9mAEF22QdZVX01ZQZagggwaqvHfXPWlD+wPafGH7Hi4dm4B+
Bh1BO/mevC5l0wYdLg5X2mTPhqNMzU+aCWz2MwdYK1iU2JQ6/KQOXpGZuhf597N0
BmRMpe56UDWt06wsE8cNUKmNiaVlJ6yaHXHSV5tUmcqXpXtGaqheAYxyY1BXepd5
KmcpmQg=
=+5y4
-----END PGP SIGNATURE-----