IETF Logo Mail Archive

Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Brandon Long <blong@google.com> Thu, 17 August 2017 18:44 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D1901323CE for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 11:44:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0owwM1GGd3vz for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 11:44:49 -0700 (PDT)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AEA31323A7 for <dmarc@ietf.org>; Thu, 17 Aug 2017 11:44:49 -0700 (PDT)
Received: by mail-vk0-x231.google.com with SMTP id u133so25340794vke.3 for <dmarc@ietf.org>; Thu, 17 Aug 2017 11:44:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CZvoGPfK8ttLaqXaGnxkAh9CLGLLYNQ6aYjPw9cadUk=; b=BmAqg2dL0ldTEypmyh3MdnsFdg+sA0eong/uJy05nyZXe6dtjuap8S5iOFLXt7hBx+ yZJotMaiV3wKDNl0naAmCwEsu0tzPNEiljsrIdierK5NiWsbSILXP8BhrM5P5dsc3I5Z HEz3ktDp2wdzausFlt9TNIBYcddjouPxqQWdSN2DtPlQKylSyYEMmA3NcSXvlhe9sNnX l7rhxNlmPXAatmbeqCJMOSg8wf+KaDyACKXIN+qaKSFNY/hzH0Kf0OcDJnmZQwKshl9p Vzrh0OKqixfiHCOIyEWr1YU7Kxw0uI/Gvx88Y6uuZpf2u2UYqLoRvumlWBzmfWmRZ2Ln kDhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CZvoGPfK8ttLaqXaGnxkAh9CLGLLYNQ6aYjPw9cadUk=; b=Cybw61RaCPjZ6wSmBhEa2O8T25HH+kIpYapOR+qZsf7zqDTUuJgk/ONh3KBy0fnWrN uIUYLscS/fh1gcaJNH6LQP1i6v9lBV4axBQ/vwhrobaGeU3x37E1gfUrntX9aHXuq+fD xcmYEXvwXXYm9JUx73Bt0RN/6SGrQo1us4Cb1ES365BNKgV+jSqOqhoSqCnvYIh8ikIG AfmaGekXeWK8aJZBRNYNzpnXvvhW9A4o2dfNbHW0boVjVrzhoaOBq/jaYbve82SnkuQw B2FZXsPUD6NjCnUHYtIdxzOPdN6cwf9H27cf7DxPzTW2MMkFZzvCXfwOKqd6slZDZtYY 9cnA==
X-Gm-Message-State: AHYfb5h7QHS9STU3mfcUcJ7AoE7tqS2dPtkqvRZpL0kKKRNkIyt9U6bv 3U7PTsMa8F0qekPn9IOPdoyfFFVx7qbtD94=
X-Received: by 10.31.120.12 with SMTP id t12mr3990413vkc.29.1502995488040; Thu, 17 Aug 2017 11:44:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.135.139 with HTTP; Thu, 17 Aug 2017 11:44:47 -0700 (PDT)
In-Reply-To: <1502930858.4042926.1075890568.5069945B@webmail.messagingengine.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <166070f0-4ba1-70da-1f73-885b4a7f7640@gmail.com> <1502497178.4103451.1070917304.23DD466D@webmail.messagingengine.com> <598F9484.7020700@isdg.net> <CABuGu1p=oLfLRkuoaDHoz3Cv3_FrURdsFPzkac7jNzBpqBmiSg@mail.gmail.com> <599484FB.9050908@isdg.net> <1502929303.4038704.1075868960.5D80A788@webmail.messagingengine.com> <CAD2i3WN_bmDgmQBw3pnyu7vWJJM2Kzwgru87VhK=NA_H91B+og@mail.gmail.com> <1502930858.4042926.1075890568.5069945B@webmail.messagingengine.com>
From: Brandon Long <blong@google.com>
Date: Thu, 17 Aug 2017 11:44:47 -0700
Message-ID: <CABa8R6uLJOg4kHNUyYLWoL9jjgExjVBtDAh-=FMMJbrs=Y4b_w@mail.gmail.com>
To: Bron Gondwana <brong@fastmailteam.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1495962a9cd40556f768b0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/emO8kN3M892eer5uFBVXcFX4wzk>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 18:44:52 -0000

On Wed, Aug 16, 2017 at 5:47 PM, Bron Gondwana <brong@fastmailteam.com>
wrote:

> On Thu, 17 Aug 2017, at 10:34, Seth Blank wrote:
>
> On Wed, Aug 16, 2017 at 5:21 PM, Bron Gondwana <brong@fastmailteam.com>
> wrote:
>
> The only way you could even hope (as a mailing list) to avoid rewriting
> the sender is for every site that currently has DMARC p=reject to change
> that to a new policy which explicitly means "only reject if no ARC chain" -
> otherwise you can't stop rewriting sender until you know that every
> receiver on your list is ARC-aware.
>
>
> I don't understand your point.
>
>
> If you are a mailing list and you receive a message from a domain with
> DMARC p=reject, you can't send that message on to the members of your list
> without rewriting the sender.
>
> The only way DKIM works is if enough receivers validate it.
>
> The only way adding elliptic curve to DKIM works is if enough receivers
> validate it.
>
> The only way a DMARC policy works is if enough receivers validate it.
>
> ARC is the explicit solution to mailing list breakage with DMARC. But, as
> with all other IETF RFCs, only works if enough receivers validate it.
>
> Our job is to make sure ARC accomplishes its goals under the DMARC
> charter, and demonstrate value to receivers that it's worthwhile to
> implement.
>
> There will always be a ramp up and implementation phase, that is a
> feature, not a bug, and not a reason to say "it won't work."
>
>
> While there exists A SINGLE SITE which is ARC-unaware and DMARC p=reject
> aware, you can't use ARC on a DMARC p=reject domain without rewriting the
> sender.  Otherwise that site will bounce the email.
>
> You still have to rewrite the sender until there is either full adoption
> or sufficient adoption that you just don't care about the stragglers.
>
> ARC doesn't solve that unless every receiver is either ARC-aware or
> DMARC-unaware.  Hence the suggestion that I think Hector is making - to
> define a new policy p=rejectnonarc or something, which means that sites
> which are ARC-unaware accept rather than reject.
>

Theoretically, if rewriting the from header had been the "approved" way to
work around DMARC issues for mailing ilsts, one could imagine that
something like ARC could have explicitly allowed for that concept and
making it so receivers could back-sub the original From or something. That
way, ARC implementers would get immediate benefits over from rewriting.

OTOH, if you ignore from header rewriting as a solution (which many have),
then ARC implementation theoretically adds immediate benefit (or the
potential for immediate benefit, since it requires participation from both
the mailing list and receivers)

ARC definitely solves more than from header rewriting does, but from header
rewriting is certainly a much simpler solution for mailing lists... even as
it makes them slightly worse to use.

Brandon

v2.23.0 | Report a Bug | By Email