Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Seth Blank <seth@sethblank.com> Mon, 30 July 2018 20:48 UTC

Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 568A0130EB9 for <dmarc@ietfa.amsl.com>; Mon, 30 Jul 2018 13:48:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQdE_XpcCmLq for <dmarc@ietfa.amsl.com>; Mon, 30 Jul 2018 13:48:15 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3837512D7F8 for <dmarc@ietf.org>; Mon, 30 Jul 2018 13:48:15 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id k12-v6so23835785oiw.8 for <dmarc@ietf.org>; Mon, 30 Jul 2018 13:48:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=FDp2vcmqX2+XO1psobPkVDfEhr8r+wk0vPVVHTo3Omg=; b=rV9doqqN6T0yUzCuf1QVj5Ef3RTbHQobqJ2xj43HdIQ+ql2+1AImB8s/fFVycYiuPW Ho3lSyMu004pVURIH/TqDUd/C3Pcl/tHHXJGiBtZfmbo8eNpuc9IX4SLMpqcMOiqvRFN ywMmzfPBQpRQ33Pd9hWj8Y29Nl3Ta8lAqLIuA2nI6DCxCdnWIwqeXDLQG1teIwHQ75/w HvI5J9paWDJibL7K5wDtY80a4mJ7En2SduAVspN0rbTjM7YZ9MDwG5AHU/mIUqJXqnsp 7J6cmzVfkwoO9HVo8KgYmVLVY0ExhBA9qnehLhxykHlJeINHmujypnDgcLRyr0GZNGpg evLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=FDp2vcmqX2+XO1psobPkVDfEhr8r+wk0vPVVHTo3Omg=; b=FeruPvCL0ZHbMwrDllw9kSp097uaeVeQ91DjAgOxo0Ogo74wqhv3xvcewRof4FD9PH kp+pxocLJ3/q6fiivrc+QrfbKRT+1rYe9uaVKw1FanWX/SEHoIhJ0+yXTMLUEWycSXPa pb/sZAGaK28GfRGMTVfVeSKpCwM7pHZZtRDAyLWoGlk3sBv+LtvMjGQ0LC3qVEWC1ZUM dv3cvKcSOiCQsNaY632B9HIu0QxRjUWmFVPnsWY+1gN0N9Ao9ARTii9PP+SquB4d011B d8/48+H/BhOc12PmgvwaQPVbCJNNW+cEt/zdeFNdZ9wJhDXNvjoJoEHJt6ikTOtrYtuM oSRg==
X-Gm-Message-State: AOUpUlGleT7yB5ZNy1HfrKWT++iyO0pIR8I0cooOeJGfUaHuerPV2ws7 jfJKwlBVctOVawVLYee65fUikwTWZkaEDWIkS2NSybUoKs0=
X-Google-Smtp-Source: AAOMgpeU5d/OksEKGz2Umc3LKCjsma2vTI/J3Up6fwxq6pbH4yFtNH4XLIgL0x4MbRcQv1EspNh2BqNzYvsafbouezI=
X-Received: by 2002:aca:cf0e:: with SMTP id f14-v6mr20869286oig.356.1532983694149; Mon, 30 Jul 2018 13:48:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:2646:0:0:0:0:0 with HTTP; Mon, 30 Jul 2018 13:47:53 -0700 (PDT)
In-Reply-To: <CAD2i3WNBdq9sC+2yRFUh=9ZpQH66kOdLfp8DjGcMjpKrWxF1Uw@mail.gmail.com>
References: <CAD2i3WMMJPaZYonS-qcz8pwOKYmS2Xe+8WBZPuAqjiGoYePzSg@mail.gmail.com> <CAL0qLwapyX3U=0OqQWzx+dDELn3W0v=N_HyzDnSw49oWQ+SE5Q@mail.gmail.com> <CAD2i3WN90JSS8pzgRxrbokuKmhZaLUrimYRWqkZwzVDBxTczng@mail.gmail.com> <CAL0qLwZ_uPh5iPkS7MKzDp3x=dAgn-hmsEunccDc3Hj2bsphpQ@mail.gmail.com> <CAD2i3WM99Yy6Y=BQE4dC=Ffm7J32My160Xdm2oxXC50Au9tXoA@mail.gmail.com> <1532745551.208119.1455489824.75DFC005@webmail.messagingengine.com> <CAD2i3WOHjUwi3J=xsLca5_4DJL=S+jaReGRC1fBQH5wsfWxOVg@mail.gmail.com> <1532905189.2879805.1456751232.5F2CDCE4@webmail.messagingengine.com> <CAD2i3WNBdq9sC+2yRFUh=9ZpQH66kOdLfp8DjGcMjpKrWxF1Uw@mail.gmail.com>
From: Seth Blank <seth@sethblank.com>
Date: Mon, 30 Jul 2018 13:47:53 -0700
Message-ID: <CAD2i3WNSe+of7U8fdTnmUeU3sthUbpEVgdYHT9J6BgLxoeOL3w@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000896aa705723d9456"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/e6td-7_Zie9m4n6WIVa7IZVIHcI>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 20:48:17 -0000

I've been thinking about this and discussing offline, so to put it
differently:

5.1.2 says when a chain fails, to put cv=fail in the AS and only Seal the
ARC Set being added.

Per the original message and suggested text, I believe 5.1.2 should only
provide the above guidance when it is not otherwise possible to sign the
entire ARC Chain (i.e. when the Chain is structurally invalid and a
deterministic set of headers cannot be enumerated).

Regardless of this behavior, the Chain is still equally dead. But in one
scenario (initial ARC Chain not Sealed) you get no data from that dead
chain, and in the other (failing Set Seals initial Chain) you can.

Might it be clearer to make my recommended change and also put something in
5.1.2 saying that the cv=fail Seal is just for trace purposes since the
chain can never validate per 5.2?