Re: [dmarc-ietf] Next draft concerns
Douglas Foster <dougfoster.emailstandards@gmail.com> Sun, 12 June 2022 20:08 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BECAEC14F6E5 for <dmarc@ietfa.amsl.com>; Sun, 12 Jun 2022 13:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KkWoupThX08O for <dmarc@ietfa.amsl.com>; Sun, 12 Jun 2022 13:08:26 -0700 (PDT)
Received: from mail-oa1-x30.google.com (mail-oa1-x30.google.com [IPv6:2001:4860:4864:20::30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C8A0C14F607 for <dmarc@ietf.org>; Sun, 12 Jun 2022 13:08:26 -0700 (PDT)
Received: by mail-oa1-x30.google.com with SMTP id 586e51a60fabf-fe32122311so6058734fac.7 for <dmarc@ietf.org>; Sun, 12 Jun 2022 13:08:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=R7DsJz+/1alerOM4lF8XwrpoRRd6h8n/YedTiOjgkwU=; b=QYExPFh2g6XO03mQfNroIs1C54lLriUU0+2B3Gfnjse6JAjYawb8v5Rn1dPxvH2STb DOYjJUh3WxX7tTkkKs+2LYORMv/2x+aqnhQPAe2EVVifNR8KAZ1aEsZBl3ZW3HY8CkzM M72gMr2u76RlRgQb47EI4hq1zQpCT54rpnvXdvmAcvRmPKeT/nPzSwT6BKfB9vy+8obl kj4EwVdJ1c5/8QiGtsmlH14/PhxbVr0m5tlnMoyZHj1VfnePwBOmw7q8XlD9FkTfMIY7 qNbyN0/qxjdda6rS6QbSpYtbABdPida4m2bQ8nqYdii8LjcyjOBRI061HEms8+Uz1wGq Vt9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R7DsJz+/1alerOM4lF8XwrpoRRd6h8n/YedTiOjgkwU=; b=doCzz/cpX0wuSDHPVj20JdRMheQAtzHiJbY4f5h2sasjt0QAYZzvMzedP0sZtyqyKL Tb1KaQVLp6nT148nV4MiwBJ+7NpUa4KiVqAcZ++uJl38hw409iHzPeOCKTRkzgPHt4AD lhxeUSByUlv//PAa1wDX11yA4LoS5RSS4rcICQyF1rDA+Y7Uj1yJiGWMI756C9RcZ+iv 38GJjgajhyRqS0MmmAlG9bb39Sj2vvmN60m53Ptm7aRhGWW7vH64rF2UoiL3yZxQiDpk F9iXSp4Ra7ClPG+oxpwyCqXQ2mvoKfbhc4pyLHl+tPjWZJoxJDt58nSyzJJ3X+j/IZJ9 vzoA==
X-Gm-Message-State: AOAM530fY/yFH+ljWxwXcHPpq0sh8/SpFy0cgjcMmEVPJI6jfdMqONN8 Syo/7kCyqp+DREe+MBdcgg4UOrsdvwMgYTROO7ot4bNt
X-Google-Smtp-Source: ABdhPJxf7NMu0VPMztSyXa8zT6MJ/mQ24+eo8yq1pZuMb+iAbF76W4+rVMyWTi25K2/dBwl4TL0srhDdXkgkIeK+izo=
X-Received: by 2002:a05:6870:b001:b0:100:ef5f:77eb with SMTP id y1-20020a056870b00100b00100ef5f77ebmr5681087oae.51.1655064504538; Sun, 12 Jun 2022 13:08:24 -0700 (PDT)
MIME-Version: 1.0
References: <BL1PR12MB5753CEB436047B152714100FBFA49@BL1PR12MB5753.namprd12.prod.outlook.com> <20220609191051.F2709434C018@ary.qy> <BL1PR12MB57533941A9C6B481C75D9FFABFA79@BL1PR12MB5753.namprd12.prod.outlook.com>
In-Reply-To: <BL1PR12MB57533941A9C6B481C75D9FFABFA79@BL1PR12MB5753.namprd12.prod.outlook.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sun, 12 Jun 2022 16:08:13 -0400
Message-ID: <CAH48Zfy7Jq_Xg9_Dx+o8JbaYAUNrQK52mn5GzC953mps67RG+Q@mail.gmail.com>
To: Les Barstow <lbarstow=40proofpoint.com@dmarc.ietf.org>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000df991305e145bbca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/gjtSQjOglzd30qCfc4FK9SbczmE>
Subject: Re: [dmarc-ietf] Next draft concerns
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Jun 2022 20:08:26 -0000
Les' question has returned us to the problem of justifying the tree walk. We need to document the problems with PSL, but we also need to demonstrate that the tree walk solves those problems without creating others. In most cases, the tree walk and PSL will produce the same results, because they will both find the top-most DMARC policy in a structure with neither a private registrar nor a PSD policy. So the justification is really limited to those exceptions. We assume that most PSL errors will cause organization fragmentation, because of identifying a private registry for XSS purposes which is not a private registry for email purposes. We also know that the current DNS has no information about private registries, so if we apply the tree walk to the current DNS, we may sometimes error by landing too high and causing inappropriate organization consolidations. In the case that the tree walk stops lower than the PSL target, the most secure solution is to believe the DNS policy. This can only occur if the policy has a DMARCbis token which explicitly says that a policy has the Organizational Domain role. In the case that the tree walk stops higher than the PSL target, which do we believe? To tilt the decision in favor of the tree walk, we need a token which indicates that the tree walk did not pass over an undocumented private registry. This will also require a new token on the organizational domain, which is not yet defined. I see these possible informational signals: - No private registries or organizational boundaries underneath this organizational domain. - All sub-organizations underneath this organizational domain are also documented with organizational domain DMARC policies. - A private registry exists underneath this organizational domain and is documented with a PSD policy. This means that for either exception, a new DMARCbis token is required on the organizational domain. Consequently, a domain which has not published an applicable DMARCbis token should be evaluated using the PSL, and a domain which has published a sufficient set of DMARCbis tokens should be evaluated using the Tree Walk. This approach also satisfies our other requirement, which is that the tree walk requires an organizational domain policy. I know this is discouraging, because John's original hope was to avoid placing a change requirement on domain owners, but I do not see that it can be helped. Doug Foster On Thu, Jun 9, 2022 at 3:18 PM Les Barstow <lbarstow= 40proofpoint.com@dmarc.ietf.org> wrote: > Thank you for the history fill-in, John. That does at least explain why > we’re here and not somewhere else. > > > > I will respectfully disagree that the “psd” tree walk standard is > well-defined based on the remainder of my response – that the use of the > “psd” TLA for the tag is unfortunate/misleading and that more specificity > is desirable. But having the alternatives eliminated at least gets me to > “it should be in this spec”. > > > > On Thursday, June 9, 2022, John Levine wrote: > > > > It appears that Les Barstow <lbarstow@proofpoint.com> said: > > >-=-=-=-=-=- > > >[Strong opinion follows] > > > > > >IMO [from April], determination of a DMARC authority boundary (registrar, PSD+1, private registry (+1), or internal subdomain > > >boundary) should really be done outside of the DMARC standard altogether – a separate DNS lookup not dependent or centered > > >around DMARC, and one flexible enough to respond with indications of various levels of authority. It is useful for > > >decentralizing other queries beyond just DMARC (e.g. determining an appropriate WHOIS TLD for lookup). Unfortunately, here we > > >are at draft 8 of the new DMARC standard and we have nothing to use as a sidecar mechanism. > > > > The DBOUND working group already tried and failed to come up with a > > general way to publish DNS boundaries, so we're not going back there. > > > > >Is there a driving need to have this in the standard NOW? > > > > Yes, of course. The point of writing a standard is to tell people what > > to do to interoperate. The current underspecified fudge which winks at > > the PSL has well known issues since, among other things, the people > > who run the PSL have made it quite clear that it's not designed to > > make DMARC work. It contains plenty of entries which make sense for > > web cookies but not for DMARC. > > > > The tree walk is well specified and doesn't depend on third parties > > who aren't interested in what we want or need. > > > > R's, > > John > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] Next draft concerns Douglas Foster
- Re: [dmarc-ietf] Next draft concerns Les Barstow
- Re: [dmarc-ietf] Next draft concerns John Levine
- Re: [dmarc-ietf] Next draft concerns Les Barstow
- Re: [dmarc-ietf] Next draft concerns John Levine
- Re: [dmarc-ietf] Next draft concerns Douglas Foster
- Re: [dmarc-ietf] Next draft concerns Scott Kitterman
- Re: [dmarc-ietf] Next draft concerns Douglas Foster
- Re: [dmarc-ietf] Next draft concerns Murray S. Kucherawy
- Re: [dmarc-ietf] Consensus check - Private regist… Douglas Foster
- Re: [dmarc-ietf] Next draft concerns Scott Kitterman