Re: [dmarc-ietf] ARC vs reject

Michael Thomas <mike@mtcc.com> Sun, 06 December 2020 17:01 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 377B53A0114 for <dmarc@ietfa.amsl.com>; Sun, 6 Dec 2020 09:01:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Level:
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaLOXwYjaT2m for <dmarc@ietfa.amsl.com>; Sun, 6 Dec 2020 09:01:07 -0800 (PST)
Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 574593A00D8 for <dmarc@ietf.org>; Sun, 6 Dec 2020 09:01:07 -0800 (PST)
Received: by mail-pj1-x102d.google.com with SMTP id h7so5836924pjk.1 for <dmarc@ietf.org>; Sun, 06 Dec 2020 09:01:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=BSKLEMgNm1ZUBqix+eivUnJ+59tRpSDdGFRzQjEnBdU=; b=BuXSKBpp6kH6ZYsTimpZMHqpFUGY5FIYdCYuN6aP6z2hswdnpmH4gknIVW9DVZnk7i GCGXE76mGQzaibm0I2092GjOkGW2ny40TlR+qsLPZYV8lsD52IE//Sta+5VhKg5LJizZ ihHaUJmcnoW9yb5jI8bMRCGtJKLtxnjhnMCig4j/eH1+jkD72g8GGsRVHhm9V/5y2brV 2PfPy6moVIzbnRtdMTFFBgV0IDVG30CMsd+mKb0FDPJHTEZCde9HHMslUixoBcUrZeaM AEQWZvQp9QJDhpqpaYmjApZxdQAQjVW3Cfi+k9UW+aDuTYsRpWBmAj2W5QP1wbjEGvmP /Qew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=BSKLEMgNm1ZUBqix+eivUnJ+59tRpSDdGFRzQjEnBdU=; b=HkA7gxWwdug6NhJJFwxQR2Ms2tVaV5It9csopfYDyhsnjR3607cKzR8ce8vsuuHjbE m/2mimf6gwHJaT/a0TgIPSKOFK+gH6JMS5MDpqSV4caO9SvMKga8Yj6HT0pxawr8W29r z/cFPeXCEgGjs0RMlyJi+ZSbh7OJ6bJvlJNKVzpX4tgA0ViAZ5PUcAk9nbAP1lqS6L1N tklfQJrbQhkDxF5+hNORf2h/UrZ9Ie5N0okyhZnEoV2UiuRaXC1EmMUc+kvKWObgOyQh 7LRHZfRVRZu+aMxyYk2PHKErtm/zGe4/itB/l1vZf5CW2+lOMXWZO81JXNYH1hucXscu 31xQ==
X-Gm-Message-State: AOAM5330Onn9aoK4LJ4qdnJbw357JvLiNhYKbMgitG0eOOosPO5KMVp7 6+coPcmHeYtVXCebAZYGcfnJ0pdqUCyXLQ==
X-Google-Smtp-Source: ABdhPJxWh0VUGKieGxUeUvs+KXPXAkDiHSTFr9AFRv+2Bsaw+WdlYxmBdXZ+3FevtPCKAu0da5Gadg==
X-Received: by 2002:a17:902:8c8a:b029:d6:d1e7:e78e with SMTP id t10-20020a1709028c8ab02900d6d1e7e78emr12438866plo.39.1607274066260; Sun, 06 Dec 2020 09:01:06 -0800 (PST)
Received: from mike-mac.lan (107-182-42-33.volcanocom.com. [107.182.42.33]) by smtp.gmail.com with ESMTPSA id d2sm1608536pjd.29.2020.12.06.09.01.05 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 06 Dec 2020 09:01:05 -0800 (PST)
To: dmarc@ietf.org
References: <20201205231059.2BA23290EDCD@ary.qy> <b437a23a-7e7e-f70d-04dc-49810d002c43@mtcc.com> <b6950472-599b-d0a7-c0d1-82db099fb99b@gmail.com> <7ae42764-176d-11a8-e084-b10b6f676944@mtcc.com> <cb526017-c198-44f1-7282-986e5a810d6a@gmail.com> <8142f18c-ac79-1f94-97d1-2704f0b4ceb6@mtcc.com> <CAH48ZfwHKoVZn9RdhBh-xU=he8=smB59R5EF1TYJ_0upEDHn2A@mail.gmail.com> <72d32b62-64fb-937a-dac5-6f4c5816f523@mtcc.com> <cc5cd21c-ae32-512c-e988-55dfabd39e38@tana.it>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <d96eb6cc-0412-0215-5ce2-28dbcfc13a8f@mtcc.com>
Date: Sun, 6 Dec 2020 09:01:04 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <cc5cd21c-ae32-512c-e988-55dfabd39e38@tana.it>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/fawIJKUZfGXtl_M51MbmwJ_fNkA>
Subject: Re: [dmarc-ietf] ARC vs reject
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2020 17:01:12 -0000

On 12/6/20 5:40 AM, Alessandro Vesely wrote:
> On Sun 06/Dec/2020 02:34:45 +0100 Michael Thomas wrote:
>>>
>>> 5) The work you and Alessandro have done with reverse transformation 
>>> is more likely to produce a solution for the mailing lists.   The 
>>> lists will continue to do From rewrite, but reverse-transform 
>>> recipients can validate the true source of the message and restore 
>>> the From if desired.
>>
>> I'm starting to get a little more serious about my quip that the MLM 
>> can insert a sed script in a header to unmangle the message since it 
>> knows what transforms it has done, unlike the receiving MTA trying to 
>> guess the common transformations.
>
>
> But then the receiving MTA will have to guess whether the sed script 
> considerably alters the intended meaning of the message. For example, 
> does it change a bank account number?
>
This actually highlights why my observation is correct. If the 
intermediary showed how to reverse their changes perfectly to be able to 
validate the original signature, it says nothing about whether those 
changes to be delivered to the recipient are acceptable to the 
originating domain. for the case of a bank sending me sensitive mail, 
the answer is that it is never ok. for somebody working on internet 
standards working on ietf lists, the answer is that it is fine. hence 
trying to get two states of the one "reject" is insufficient.

Mike