IETF Logo Mail Archive

Re: [dmarc-ietf] third party authorization, not, was non-mailing list

Dotzero <dotzero@gmail.com> Sat, 29 August 2020 20:12 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E48E13A0FBA for <dmarc@ietfa.amsl.com>; Sat, 29 Aug 2020 13:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ew6ml2vEiCTI for <dmarc@ietfa.amsl.com>; Sat, 29 Aug 2020 13:12:19 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 083143A0FB8 for <dmarc@ietf.org>; Sat, 29 Aug 2020 13:12:19 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id e7so2133379qtj.11 for <dmarc@ietf.org>; Sat, 29 Aug 2020 13:12:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VVPjqxaCdu74xMLB5vFAnDogBUEPTI/5BE0nyJw/tlg=; b=rprlmrbsgOIr+pxaxdZkmjy+Q79rvrBPxrvop3FmX3HYc3tyL9+GcAKZn/may2LnJP a57RyEyXXfDvcCgW+DQ3aidSYAkBDzbqhnVRgoeklQGVaZFzS3qifqFC9XsYvI7/aBcI LyQNPqiXyjXjYdbAffjVoEla1O9BpQaQ+yzEtZaZUnxbMOdhO56nRuYN5JU1TSXee6vc 4aRWxXp8k4uDfysn3u1v8CxURjMSEggEHZlmZ6Mzwfiz7ktmEgCHO9Q3j/gSHBGZdp/T LHDgii7XZuyOkGzsVKiInWL40IhSbdsVNjVaGFGp7Wxl/mO5xnxs4JfBBNvJINUWlvQn +/vQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VVPjqxaCdu74xMLB5vFAnDogBUEPTI/5BE0nyJw/tlg=; b=r6KuEfN2Th9cyeVnvOTH+yO59eDdcAH98SrdhmFYeMqpTTR8qgXLk8ZYqMZLFhcUq8 ggx3ZF2EoXJmb66YpXb4eBTn+mSiHOE3MMfJJaNhvyYYS05mONsemiYGRtCn6dVBPHvS ExjfIV/ayVES4aHWyx407y7TZGDRjhFHSPtkBnPyzUz99JotzQrjfXK+A4P/8Reo5u+x DyuL//6e5K/Wl8M2uqBdcPUvyUcy1ToJIX+CUa/biD+DzSPlkw7pGAzCWSm4a0h8HPFH ajeHYA+6F73vEy0QmGgG8MWfdHJ3Fq17D9ZP/VUrWFNlGeO8Uy4H/vwUqGvC2V46AyOv EFBg==
X-Gm-Message-State: AOAM531Y5M64U+ATIYsUxFukknNwsX/Z0KpcCeQt/IQ8Cnj/W8RT5AMT Z2kaNnwQTQxnTLl3PZDfrXfwNIfL2N8L/JbFrNQ=
X-Google-Smtp-Source: ABdhPJwHu1UBwzNy1kT7oaXnTF8/TIngiwBWZBeyh5AFRevZoP/DVAsWPuY7Na2yCqOaB+7pwtGVbmPKLYtZOaTA/cI=
X-Received: by 2002:ac8:6906:: with SMTP id e6mr6984813qtr.267.1598731938059; Sat, 29 Aug 2020 13:12:18 -0700 (PDT)
MIME-Version: 1.0
References: <20200824172403.A927C1F14BF5@ary.qy> <5fe7d5c2-7330-c9fb-2856-e7dfc2175c82@tana.it> <CAJ4XoYc1vutV61E-66DHWcdOxHmCUWiC0HC0AmiRYUcMxLgcCQ@mail.gmail.com> <1fe7a47f-4ebc-7621-2c1-e4803473e8d7@taugh.com> <CAJ4XoYf3_y4tb5JYm5fGndqxKN+070LvZ6i5kjHKqH0NnbHnhg@mail.gmail.com> <001801d67bce$bdf97510$39ec5f30$@bayviewphysicians.com> <CAJ4XoYdR-kHARvkYjbbyqoEnx8YV5RP4x1z40M3-z9ap1ypcRg@mail.gmail.com> <10ed5aec-7e4f-b6d4-0564-613fd92ebf72@bluepopcorn.net> <613173c7fdfb4b40afdd80e2354f5042@bayviewphysicians.com>
In-Reply-To: <613173c7fdfb4b40afdd80e2354f5042@bayviewphysicians.com>
From: Dotzero <dotzero@gmail.com>
Date: Sat, 29 Aug 2020 16:12:11 -0400
Message-ID: <CAJ4XoYfgO+Bne0MMjvw93w+jYEgu0EiG472ohT+oXtc2bYsMqw@mail.gmail.com>
To: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000425b1705ae09c912"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/gS9vwRhayUo4hFqtEKFiG7N2RbQ>
Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Aug 2020 20:12:21 -0000

On Sat, Aug 29, 2020 at 3:43 PM Douglas E. Foster <fosterd=
40bayviewphysicians.com@dmarc.ietf.org> wrote:

> To elaborate on my question and Michael Hammer's answer:
>
> To be unique, a signature needs a unique dataset from which the hash is
> computed.   The weak signature will not be unique because it will be
> computed on non-random content such as From, To, and Date.
>

There are additional ways of introducing complexity and randomness.

>
> However, the signature can only be used by the designated domain.   So the
> worst possible "misuse" would be for the designated domain to use the
> signature on other messages.   This seems unlikely, and the worst-case use
> is no different than what ATSP would authorize.   But the weak signature
> has less information leakage, since nothing is published in DNS about the
> signature technique.   So I agree that the approach is a good one for those
> who want to provide mailing-list authorization.
>
> The remaining challenge is to communicate between recipient domains and
> mailing lists so that the list knows whether the recipient will honor the
> weak signature system.
>
> Doug Foster
>
>
>
>
> ------------------------------
> *From*: Jim Fenton <fenton@bluepopcorn.net>
> *Sent*: 8/26/20 5:01 PM
> *To*: Dotzero <dotzero@gmail.com>
> *Cc*: IETF DMARC WG <dmarc@ietf.org>
> *Subject*: Re: [dmarc-ietf] third party authorization, not, was
> non-mailing list
> On 8/26/20 10:54 AM, Dotzero wrote:
>
>
>
> On Wed, Aug 26, 2020 at 1:32 PM Doug Foster <fosterd=
> 40bayviewphysicians.com@dmarc.ietf.org> wrote:
>
>> Are the weak signatures vulnerable to a replay attack?    I thought that
>> one of the reasons that DKIM signatures included the whole body was to
>> prevent the signature from being reused.
>>
>>
>>
>> DF
>>
>
> Not particularly vulnerable. The requirement is that you have the "weak
> signature" plus the intermediary full DKIM signature. This let's the
> validator/receiver know that the originating domain knew that the
> intermediary might break the originating domains DKIM signature but the
> validator/receiver would have the DKIM signature of the intermediary. The
> "weak signature" is only validated against that specific message and
> headers it signed and that specific intermediary. It's not a
> generic/general signature.
>
>
> It sounds like the weak signature is just a regular DKIM signature plus
> the designation of the intermediary, and the "weak" part is that you don't
> check the body hash against the body. Have I got that right?
>
> -Jim
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.46.0 | Report a Bug | By Email | System Status