Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Seth Blank <seth@sethblank.com> Mon, 07 August 2017 23:22 UTC
Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F23D4128C9C for <dmarc@ietfa.amsl.com>; Mon, 7 Aug 2017 16:22:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZeNY2wL-PJhG for <dmarc@ietfa.amsl.com>; Mon, 7 Aug 2017 16:22:37 -0700 (PDT)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72917129B25 for <dmarc@ietf.org>; Mon, 7 Aug 2017 16:22:37 -0700 (PDT)
Received: by mail-ua0-x231.google.com with SMTP id k43so8043893uaf.3 for <dmarc@ietf.org>; Mon, 07 Aug 2017 16:22:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=hbYv9vUcxN4YC03927qY9BVU00gBB6uGT1RwenJEYxw=; b=LkTyxP33bZtuuXYbPT/iC5qLIIeL2TI998oduG0ASGFcSld78ribx55Og2gZv/xD10 IYaxW2ri9tPTeBj26VpqRPlmnoURUz7yQMLYXHRUeCfFwnshM4aYwG7XBDNhm1yl/6gQ Iwx3zWGJJ+sazxlQCqBH/C211b/TnmFPdPnxB267xlANlrDp45Rem2IZTPh3nO/J9XNg gcRY6dEcKoH9XuaZljwwApQnOCEw4F0xkTMhvVceq30CmMmW9rwu+P1x3u4wyBIigius Q5c2i3JhG+Px0Pk0JPNZ/Z9Il79Jz8rx8J/9/sB2+3qCJy3TCzPJv5zY+APumdzoV4Qh hHrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=hbYv9vUcxN4YC03927qY9BVU00gBB6uGT1RwenJEYxw=; b=SPczU6hBvfu+E/lbeiIZ3KhV85Amwnt2f/tbHTOgfMtab9bWrF/l3HZ/q75QvK6pL4 hQFfqoXLIVl12lBk5rrVGzp4IxGSa1B8ON8OCpqwMvvbodofRvHaSmPMoqU77wgraeH8 uUcdTLtd/vzlHqJZowhTLh3zZV/DqDSkSyf64K2cr3UYs8TAl2LHD5fGWJOaC98ECbaf 1syOmmwZvmRDDKTTOA4jbvyXeatso+34JJ+4FxPMB2SK7KhqZet/60JcN9h8q3K5+JGT 5nxm+5jU+t44jGaotyQDlQP2oiadFosEPkvQ5n8k/0XivsSC3JBTeAMJR3Ht7+6GbpT2 6NDw==
X-Gm-Message-State: AHYfb5hY7RML8Pv0zmYLDMobhLO4bCqn8VFyRcVK4NyzipjIT+J7VmQ/ +VNFsHin3kuh4AMoEw1JaarTQc8i5pFU1Vcebw==
X-Received: by 10.176.64.166 with SMTP id i35mr1618140uad.42.1502148156313; Mon, 07 Aug 2017 16:22:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.151.25 with HTTP; Mon, 7 Aug 2017 16:22:15 -0700 (PDT)
In-Reply-To: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com>
From: Seth Blank <seth@sethblank.com>
Date: Mon, 07 Aug 2017 16:22:15 -0700
Message-ID: <CAD2i3WOCFHf7C4qjpCcGCFKJKsZC2+Wty1arkQgTU_jtrS6MuQ@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c1243b24243110556321f99"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/eDFOrwt4QvGz2d3HFjD7IdIoXPc>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 23:22:41 -0000
On Sun, Aug 6, 2017 at 10:21 PM, Bron Gondwana <brong@fastmailteam.com> wrote: > > *AS adds nothing over just having AMS signing its own AAR, and then you > only have to verify ONE signature, the most recent.* > > <snip> > > You either trust the most recent signer and trust that THEY validated the > previous signer/SPF (and so on) or the chain is broken anyway, so why add a > parallel, easily falsified, chain of signatures? > There's a critical reason the ARC Seal exists that you're missing: ARC is about maintaining a chain of custody so that a final receiver can be certain of which domains modified a message in transit. Like DMARC, DKIM, and SPF, we're trying to ascertain if the message was handled by the domain it said it was handled by - we're not passing judgement on the contents of the messages itself. When validating an ARC signed message, one verifies the latest AMS (which must validate), and *the entire chain* of ARC Seals, not only the latest. This guarantees you a list of all message signatories - the chain of custody we're talking about. When evaluating the chain for final receipt, there are two states to worry about as a matter of local policy: 1) you trust all the signatories on the chain 2) there is an untrusted signatory on the chain In state #1, you're done - if you trust the signatories then you trust they're not playing games with the AMS and AAR contents or manipulating the message in malicious ways. Now you can make a delivery decision as local policy dictates. In state #2, you're also done - if you don't trust all the signatories, then there are a multitude of routes for the message to be garbage, including but not limited to everything you've outlined above. The critical thing about the ARC Seal is that it guarantees this behavior in state #1 - if you trust all the d= values in the ARC Seals, they all validate, and you have cv=pass, then you know for certain everyone who has manipulated the message (and maybe some who handled but did not modify). Without the ARC Seal this determination is not possible and there is no way to evaluate the ARC chain for delivery as a final receiver. Seth
- [dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos