Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
"Murray S. Kucherawy" <superuser@gmail.com> Sun, 19 July 2020 00:17 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1E093A0EA4 for <dmarc@ietfa.amsl.com>; Sat, 18 Jul 2020 17:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aCBzL1MCbD1T for <dmarc@ietfa.amsl.com>; Sat, 18 Jul 2020 17:17:02 -0700 (PDT)
Received: from mail-ua1-x92c.google.com (mail-ua1-x92c.google.com [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACF613A0EA2 for <dmarc@ietf.org>; Sat, 18 Jul 2020 17:17:02 -0700 (PDT)
Received: by mail-ua1-x92c.google.com with SMTP id p6so3961537uaq.12 for <dmarc@ietf.org>; Sat, 18 Jul 2020 17:17:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c4LZ0AHtia9Z7kZcUazjkzdgWtpBd2cu6uJNLA3cTzw=; b=bhvoF1XNJyYars6XPcJvzcRDaf1dDa9hnTOVU5ZeF8QxKbIT36XnnThIxnXCMhYy7P +WbI2gSjx7xA7vwpk1lTQIXEyLKhvoUVspIu+icROjLu6VnUBpNB3vGdkQrwqWuZyh+C o9D1RySTiCfnQIwURq/mdABBfldrjAJjOqJ8JSxlYTLiN7lzU4aeuTtpOK9fXwCZ1O25 49fhBQjUHRF9qoPiZIvtTQBkeubRyNWRIvOlJNUWhiHsqY8ucyrD5FXpsfQwTaHrMb7n FqUWD3m2L+/QqugnT38NOsUEjzpzsNucrM6t0UDmf4J4rQlmfVI8u3aa7HJaJTen3hCG D+sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c4LZ0AHtia9Z7kZcUazjkzdgWtpBd2cu6uJNLA3cTzw=; b=hOWl9SlW8l/3KoPcrriEEzgSeTAVAhuRgHXD1jaxFHLqcdcKg/4HQGJwAWren0+0YM wawU7t+ZrPVp3ql2IdKrcpDmqRvqZ8m66gdnC3DO124RQUy9OnHewS+uzoa8cI1JlqOt qegRzxbocV7v+peSkYaA+pjiy0Kmq5TPgU8aRwUGyizhqKdqWgCiwn1JxKZgkOzaZKjC mF6sDQR2FJ3BQLwpiXE2uYECrRRkuSIVCOdg7C3+KV2aAW5xXt7h0qGvIdmMmVjg3w8h 21/WB9PudjXIRqAqJynRpLs285OBZWduxvoF88mQZAP0/+atmcL0iJ/WFRLNrWVjjekN FWTQ==
X-Gm-Message-State: AOAM5334KXZNUIprvWQ9tgBmBaU75EVb8YrnVGonj5Ex/isHVexTokoP zPrOCkuvZxU6OqYmzY4RM/TnkEj8/IAg0BRibQk=
X-Google-Smtp-Source: ABdhPJzxzTYnle3NZtNRbFgCYnI360JiKkIh7QBGSa0CmPqpBhJExj0ZEYkcizAAS2MKBGTErAc4Qb+1zT8/H/H5BDc=
X-Received: by 2002:a9f:31f3:: with SMTP id w48mr5699632uad.87.1595117821573; Sat, 18 Jul 2020 17:17:01 -0700 (PDT)
MIME-Version: 1.0
References: <cd9258e6-3917-2380-dd9b-66d74f3a64d3@gmail.com> <20200717210053.674D61D2C431@ary.qy>
In-Reply-To: <20200717210053.674D61D2C431@ary.qy>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Sat, 18 Jul 2020 17:16:50 -0700
Message-ID: <CAL0qLwbkhG-qUyGqxaEjcFn2Lb7wPMhcPFEMA8eqptBJpePPxA@mail.gmail.com>
To: Dave Crocker on behalf of Kurt Andersen <johnl@taugh.com>
Cc: IETF DMARC WG <dmarc@ietf.org>, Dave Crocker <dcrocker@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000213e4005aac04fc2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/e9G9sTFQfhqcKaal1zco3Y63P9Y>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2020 00:17:04 -0000
Brandon Long, if you're watching: On Fri, Jul 17, 2020 at 2:01 PM Dave Crocker on behalf of Kurt Andersen < johnl@taugh.com> wrote: > In article <cd9258e6-3917-2380-dd9b-66d74f3a64d3@gmail.com> you write: > >> I'd counter by personal anecdote that we have had to undertake > >> security remediations because of messages which were forwarded by our > >> CEO to other employees for responses which happened to contain malware > >> and/or bad links. ... > > >Except that the problem isn't the email address, especially since almost > >no one sees those any more. And the display name isn't protected. > > Do we have any recent numbers on how many users see the From address rather > than or in addition to the display name? > > Signed, > uh, someone > At some point in the past, Gmail decided to show the email address only unless that address was in the recipient's contact list, or if the recipient had replied to that address previously, or something like that. In those cases, the RFC5322.From address was trusted, and so the display name was shown. Is there logic like that still in place? Any other UI developers got a policy here? -MSK, sans chapeau
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- [dmarc-ietf] Response to a claim in draft-crocker… Kurt Andersen (IETF)
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker on behalf of Kurt Andersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] no from addresses nowhere, Respo… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Doug Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- [dmarc-ietf] DMARC marketing Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] DMARC marketing Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker