Re: [dmarc-ietf] spec nit - which DKIM to report

Alessandro Vesely <vesely@tana.it> Sat, 06 July 2019 11:30 UTC

To: dmarc@ietf.org
References: <20190621184626.AE1B52016298ED@ary.qy>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: preference=signencrypt
Autocrypt: addr=vesely@tana.it; prefer-encrypt=mutual; keydata= mQGiBERgr1sRBACwT8eXxGVWwVO+TvHEcvIe2nNlefi05FabcYoPkiVouDtbErExjoCK7FdM BRz+KjZcC8flOJmFR6rn48jcvgIZoCo0V5JuhgYFI2pWO17e6vECutHK09mnt5kLG/RwbiTZ cP8gjZtstH//Ff5x7hfQ9gSl7E/8flSV1Z0VOrJOBwCg7UPuSxYYPeHisH2L81LzR2gHUxME AKotfy9AoW5L1O9OSoIrBHzfevpA/fiuWWyV+6M887vfPCV6amZi2D5qaib89nce2H8g+9xP dppfccNlgekp0Qh3j7HKUy5WLCfz7b8Gpl5VYu2C7qhltiKBcK79gQnUDjB5zBHXgS0qLhJK YWEooQdIfFeNMYWPIp82J6i+QvsRBACG0eycR4HCRHQvw3vEnwSbRKs5YQlZjJJRSy9lA6U/ uF0bHXw9hrZervYZ25KSI5iFFNczwPkE3gKiTKabErSeBGqDS3q1QgZ1wKhQIGEgWuPRih0J KRdgFBVCWnfZ2UZY1ZpQ01raurYY/nYX4dquh8vA/PuFr/Y3dnbeHdvC0bQiQWxlc3NhbmRy byBWZXNlbHkgPHZlc2VseUB0YW5hLml0PohZBBMRAgAZBQJEYK9cBAsHAwIDFQIDAxYCAQIe AQIXgAAKCRC2rPREkNF8ABRIAJ9hqzo3j2eP4DCkkQa/BViMvvyQLQCeJnHZBThL90if5HmP trzr/BTXoIG5AQ0ERGCvbxAEAI0puriz27jNGsUhWuOyv7M6jChanXFIhMHKXR/3Bfi1YMj5 I2ki4V24k+PIAUXs7K8Yro5KTRcyZyJFaeFjsNwruPlgGCu7ZYvmsGDOgH6vjFv8aDgvujCn 3OQdBSygtylihlQUHFyQkRCjBp0EM2DE96+ulSitqzuZCaDl6e1HAAMFA/wIWsRwIE5kh4zE LlxNfa+fSirrQcniW95XSBAcUymS9GLlqcp2GqoJSYXTmspaVa27rMqrthtytvAEdY2D9KYt GtjajcQhYJQ612sVLwrVnqITeyg+L7b2s4m73gVx+X824dDEsoJldirH9LaZNRulTnUD1wcW Ey5G7kj0LykDLIhGBBgRAgAGBQJEYK9vAAoJELas9ESQ0XwAqgIAnjK+fFoGeBqyh6nuGqho obid1JbfAKCC5mETnzHYaw/Xk4rCcthv7AC5JLkBDQRYw+3UAQgA7M19L6F7IawBKQaxIx/f akrp1++lrbo54xFc4y2aHbGfhNkVGdMyKCZVkbZbAacW9j8As4g1xpqkOGeZ9/mDzATyEVew HKJtxkgZSUwkoVjcPIC/564NLJrAihZ2tPQdlsakIOPRy7NCVlNt3ziZojKLyPTHzh22jcdv Bv6PbPuVw3MbrfJbV1Hd7AQz8aPGSgs+Tit8EeGpXhZotd27ieSzM8FnHNu+skf5GrXSe8kZ keQdG3587E2n2BvSdGlSjtsQKmuUgAvrPVkIb9iPAzM23T0mj3k6t3iU57TcwIqdolTOUaB8 WjU2nTs+Jm+4d2UmP0fYLAoBHyxzV2PU/wARAQABiQFoBBgRAgAJBQJYw+3UAhsCASkJELas 9ESQ0XwAwF0gBBkBAgAGBQJYw+3UAAoJEA4nko8kG00g474H/204JJD4Ohqvs9Vdv8SLkesr ShXqqYsEhPcsjNwMIY23HXuIxpZbn2/BPOjpHAYprJPmS+tYwlc4C18WEeuDRllabAV8a02y xsCOzq7GUBjx7ee13xZkcKBZHBhyW/U3WH47LIuHQfGKaAPoLN0OGoJV4Y0jug3Pz9ZeIPf9 O70trFvZqMCoaQRH5dPrzrtHYPlv76AR9ctk5WuVg2mjsIgLoV2CVzIDyoVBrb8TPzl9S8Nl KAhuczvxvUoZnvfqzv/BhnSqxGXeGfE+FNQKp6Rt+Cztca2O4LGvRmAcIxV4obF9Qd2N1xb3 nKX9PvlAK7sl6LVqwqHzuA8/686oNqRotwCfcbWzsJDmzEA0kHBHTh7OwRis/XEAn1NChbfo u3F+/Ipg/XHiA/WV4bubuQINBFwOoIQBEADgJ8t4TSiLyRpRd3L6Oy5ezajwkPXG/rvKK8OY YtNy4s3jzrbasm8lq0fIFc12FNqjI+rYiyrVAx2sxv3yVT2MWlFdfpZiNEGS+0tYBim006cc ta3WNoN69PKtPK5t1tpBrhCDMcQwPw2o00WBDvVHJi0zg7HQ9m2c0Hzo2AUTdy7h4vQRyI9K EjhCxVRlBOVZCmKnf2iad/0xHpLz9hjqh3P2mpby8DEw0wEOMCwhABO/GVjBUbxuTwHC1D9F DI7tF7L2+WuKqjHhFonS4Q8QE8nI3IGLhazIe0xpgDSNOFUIpGN5v31Wl8OCQ7tLmc/xR2Pi JD3pdIRevjlAijDLyLx6d3vk3bfA73KtEU/rpmJmWowPWG/P278bvO/xHe1rluYWeXqOOZmy 5CikxeNZ6nTd+Tcd/XPhjusy0bJMwAVoNoxgk6FZyBN4+/zWiEezDSj59gwqSzLnOW8i2WCe 4lJoyP3+A0/mg+PR/2WN1Rg4GfGsHjRgPA+NcfsGaoPRla3eHJ9ALDovaL0HmDGZHEnhqP8O ooEKlrQ3L+SV6Pb4/2S0QNYXLP8rD6YySKSH0Trq/dZ78IWtiHFWWQXgZ3S4XtfZ1txlj2GQ a4EaIrtxcmjN/zmEXaRBDqkcyshJOAQExKt6r7Ig0OKDLPJtuohdz2vi2krqYC4LLdoDjwAR AQABiEkEGBECAAkFAlwOoIQCGwwACgkQtqz0RJDRfACNAACeKreSOjkf3BxAL9dnGeYso2e3 sTsAoL4J4GC64/eh1VthLGkUOWBY2IQN
Message-ID: <233c41a5-4072-266c-54eb-e19239949c4a@tana.it>
Date: Sat, 06 Jul 2019 13:30:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <20190621184626.AE1B52016298ED@ary.qy>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/eat8nbWQnELTtq8Mi_HH1T-hjzk>
Subject: Re: [dmarc-ietf] spec nit - which DKIM to report
Precedence: list

>> the spec does not define *which* DKIM signature should be reported in 
>> the DMARC RUA created by a receiver.
>> [... skip proposed order ...]
> 
> This seems overcomplex.  How about saying the reports SHOULD include
> all valid DKIM reports.  If they can't, they can't, and I don't see
> any benefit in offering advice on how not to comply.


In my implementation, I have two points where I don't comply:

*Maximum signatures in a message*

That is to avoid silly attacks (but consider the recent SKS attack).  It
is about 1000, IIRC.  The rest is not verified.


*Maximum signatures reported in rua*

This is much lower, currently 4.  It's there because transitive closure
is not yet available on a number of SQL products.  In particular,
MariaDB needs 10.2.2[*], which is not yet in Debian stable.  The
workaround is to left joint a (finite) number of times the table with
itself[†].


How about this:

    In the presence of multiple signatures, aggregate reports SHOULD
    mention at most 1000 and at least 4 signatures (if available), in
    order of decreasing importance.

?


Best
Ale
-- 

[*]
https://mariadb.com/kb/en/library/recursive-common-table-expressions-overview/

[†] search db_sql_dmarc_agg_record in:
https://www.tana.it/svn/zdkimfilter/tags/v1.6/odbx_example.conf

Re: [dmarc-ietf] spec nit - which DKIM to report John R Levine
Re: [dmarc-ietf] spec nit - which DKIM to report Elizabeth Zwicky
Re: [dmarc-ietf] spec nit - which DKIM to report Дилян Палаузов
Re: [dmarc-ietf] spec nit - which DKIM to report John Levine
Re: [dmarc-ietf] spec nit - which DKIM to report John R Levine
Re: [dmarc-ietf] spec nit - which DKIM to report Elizabeth Zwicky
[dmarc-ietf] spec nit - which DKIM to report Tomki
Re: [dmarc-ietf] spec nit - which DKIM to report Alessandro Vesely