Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

"Murray S. Kucherawy" <superuser@gmail.com> Sat, 19 August 2017 01:43 UTC

MIME-Version: 1.0
In-Reply-To: <CABa8R6tE7E=eEnyzfhw-veD__O4FG1s8Xf7aokjfwTFmSEzTaQ@mail.gmail.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <166070f0-4ba1-70da-1f73-885b4a7f7640@gmail.com> <1502497178.4103451.1070917304.23DD466D@webmail.messagingengine.com> <598F9484.7020700@isdg.net> <CABuGu1p=oLfLRkuoaDHoz3Cv3_FrURdsFPzkac7jNzBpqBmiSg@mail.gmail.com> <599484FB.9050908@isdg.net> <1502929303.4038704.1075868960.5D80A788@webmail.messagingengine.com> <CAD2i3WN_bmDgmQBw3pnyu7vWJJM2Kzwgru87VhK=NA_H91B+og@mail.gmail.com> <1502930858.4042926.1075890568.5069945B@webmail.messagingengine.com> <CABa8R6uhV9Bs42rgUGTSetBDDFmFPOhiYa6Yuqny0gv6dT3-Kg@mail.gmail.com> <1503006397.1306110.1076933224.154E25D6@webmail.messagingengine.com> <CABa8R6tE7E=eEnyzfhw-veD__O4FG1s8Xf7aokjfwTFmSEzTaQ@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Fri, 18 Aug 2017 18:43:55 -0700
Message-ID: <CAL0qLwbOZ2VPYG=MLhSnHWZmbhZSuN0gU2E4rcQeL2ZfRSqdYg@mail.gmail.com>
To: Brandon Long <blong@fiction.net>
Cc: Bron Gondwana <brong@fastmailteam.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="001a114f4020faf23505571160d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/dVlVF6F56yh6cz6GkJGqdsEWJ78>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Precedence: list

On Thu, Aug 17, 2017 at 5:22 PM, Brandon Long <blong@fiction.net> wrote:

> We went down the path of including a diff of the message in the headers,
> but you run up against more complicated changes that make that
> challenging.  Ie, mailing lists which strip attachments.  If all we cared
> about were subject munging and footers, there probably would have been a
> practical solution there.
>

I wrote a draft a while ago that would allow a DKIM-Signature to include an
annotation indicating that the signing ADMD did one or more of a specific
set of small but well-defined message changes (e.g., add a footer, add a
Subject tag).  Knowing what those are, a verifier could undo them and
attempt validation of earlier signatures in the handling chain.  Presumably
if no other modifications were made, the original content is thus
discoverable, and you could then produce a chain of custody of the actual
content before you that makes sense.

If that's worthy of consideration now I could certainly revivify it.

-MSK

[dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos