Re: [dmarc-ietf] DSAP "DKIM Sender Authorization Protocol" for DMARC
Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 10 April 2023 20:21 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8545FC151548 for <dmarc@ietfa.amsl.com>; Mon, 10 Apr 2023 13:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwxMApIm6iXB for <dmarc@ietfa.amsl.com>; Mon, 10 Apr 2023 13:21:30 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49072C151539 for <dmarc@ietf.org>; Mon, 10 Apr 2023 13:21:30 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id be27so6437664ljb.12 for <dmarc@ietf.org>; Mon, 10 Apr 2023 13:21:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681158088; x=1683750088; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=G0PHodmz5eUqMc+0B6n5I160z/zPa6psAEyW4B4Y0+c=; b=BgWHD00jOLkfXseiCTzRe4wsSPMP7HUDyBmTrzd9AKpj296wHXnQFvTwnc+B1x3ZjL NFF7FXpKqtABMacaUoJtZgwN1Eiz19O75fggSRN7Uryp5vsqTSrNY76tY2hezwOqvscj HvLlXmoS16i/itn4ZjQRQGV0aNyN2aVhuu+0uIw197GqyqrVtDq7fl1o0eOf15nBATF9 GpX/6oKVvygojJwYUeWuocFcObtq87AvuchMyp4FaY9Ba/sxwospuPtO6fnNuPvTEOJT fWNMVr6pY/HvUvCPFDiPUN/5HiSTcJRulgFSIU1Cks/rAZQXJLDfghDFO2Pia+MgyaED XzmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681158088; x=1683750088; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=G0PHodmz5eUqMc+0B6n5I160z/zPa6psAEyW4B4Y0+c=; b=vfUCH2Yvj2VbXw9/4Yrar5ouYfLdDUykBBDbJxIAAAK8mZ2OWpA3qDUxyfnSUogubL EDKymJ7o3pMO/9DYhA12KfWhuxcHfKAXF9z8i0Biqz+AtHKdU3ARc75U7MIFV3LOQb4i jFiEuTvGylNmYHcLvr8cAh+uUU+kx4ChDM7qLQ0xS5WGsUJunjpeqliYJ1M6ilkA6Mbw 3yJLcA0pe4f1xGlTwyuZVxvKj9v9HFE1+NjVM1BoxEr0wvg9AiiXKgItcyqgeVURh/Ce GZdGkHVSQhiZSgwxDP4VM3MOGkZ7dCRK2Uy1PmX+2GVf6iQHGv/9O0j2tDQLKgOSq2gi x3Iw==
X-Gm-Message-State: AAQBX9cm+DprxTAN2+WWsvOAj4nXuLYzN4E71HU9Xp6eUGiLLdTSINqJ p+yGyY26JQEqnZZc5mfQbqbT310wAd0/Ml4Hn5hEM+JyVXU=
X-Google-Smtp-Source: AKy350bGI80/8txtXpXhgyY7wmo3HZLz/bOYa06sa0qMjd54A77/CJKd39Pjf9YMuneA3GS27rI+82Owk65fDUU9DmU=
X-Received: by 2002:a2e:3609:0:b0:29b:ebfa:765d with SMTP id d9-20020a2e3609000000b0029bebfa765dmr33630lja.1.1681158087926; Mon, 10 Apr 2023 13:21:27 -0700 (PDT)
MIME-Version: 1.0
References: <835E8C7C-431F-43A4-96DC-C3ED37325DFF@isdg.net>
In-Reply-To: <835E8C7C-431F-43A4-96DC-C3ED37325DFF@isdg.net>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 10 Apr 2023 16:21:17 -0400
Message-ID: <CAH48Zfzqk3H3nqm4ExCtrby9NdFZOLrsr5T4L+UyX17NZ+CN9Q@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a465af05f9011ef0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/hSZa2Oqypf1NnE40AaQlLx6EvAI>
Subject: Re: [dmarc-ietf] DSAP "DKIM Sender Authorization Protocol" for DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Apr 2023 20:21:34 -0000
Hector, here is my take on the DSAP proposal. I am not sold. DSAP notable features 1) DSAP policy can be used to identify and block non-mail subdomains of registered domains. This might be useful when mail-sending domains use p=(none|quarantine). The equivalent result can achieved with DMARC by setting an exact-match policy of p=(none|quarantine) on mail-sending subdomains, and a policy of sp=reject on the organizational domain. I actually think this is what domain owners should do, unless they are moving to sp=reject. However, my theoretical analysis of the problem suggests that attackers have no incentive to impersonate a non-mail subdomain when a valid mail-sending subdomain is undefended, so there is little risk of a non-mail subdomain being impersonated. 2) DSAP policy can be used to identify valid signatures from unauthorized sources. This feature becomes important if private key leakage is common, which I doubt. Feedback reports provide partial visibility into the usage of DKIM scope IDs, which may lead to detection of a key leak. Once detected, key rollover is used to disable the leaked key. Since I don't perceive leaked keys to be a significant concern for my incoming mail, I would be inclined to trust the valid signature rather than trusting the DSAP policy. 3) DSAP can be used to indicate that a message must be signed. This seems equivalent to DMARC p=reject with SFP=no policy. 4) DMARC can be used to allow mailing lists and any corollaries to sign in-place-of the originating domain. This is capability without current equivalent, but it requires the list to negotiate with all of the sending organizations to publish the authorization, and then hope that the receiving organizations will honor the signal. In most mailing list scenarios, the sending and receiving organizations are the same. So this is essentially similar to negotiating an incoming filter exception for mailing list traffic. Jesse recently mentioned replacing a mailing list with thousands of lists. Negotiating with the domain owners for all of those subscribers does not seem feasible. Even if attempted, a subset of those domain owners will say, "Not on my watch!" The scaling problem occurs when we ask how many unique mailing list domains will need to be included within a single domain's authentication list. The design would need to be flipped to use DNS subkeys, so that the number of entries was unlimited, but the lookup for any one re-signing domain returned a single record. The scaling problem is solvable for the authorized domain list, but building that list is not feasible. DF On Sat, Apr 8, 2023 at 2:01 PM Hector Santos <hsantos= 40isdg.net@dmarc.ietf.org> wrote: > Summary: > > I would like to reintroduce the DSAP (DKIM Sender Authorization Protocol) > as a DMARC extended tag extension -dsap. The original DSAP draft covered > nine 1st vs 3rd party signature policies from a verifier viewpoint, which > addressed boundary conditions for DKIM signatures. The reintroduction aims > to address concerns regarding 3rd party resigners. > > Key changes proposed for DMARC integration: > > o Introduce -dsap tag for DSAP support, covering a complete range of > possible policies. > > o Use -asl tag for inline list of authorized signer support. > > o Implement -atps tag for ATPS support. > > o Formalize the From rewrite logic with a -rewrite tag. > > o Introduce -target tag to assist mail forwarders with authorized > redirection of exclusive policies. > > The proposal seeks to offer better integration with today's wide range of > mail applications, building on the existing DMARC protocol and improving > 3rd party authorization and reporting. > > > Background: > > In 2006, I submitted an I-D DSAP “DKIM Sender Authorization Protocol” that > covers the boundary conditions for 1st vs 3rd party signature > expectations. There are nine 1st vs 3rd party signature policies in DSAP > from a verifier viewpoint: > > Original 1st Party Signature (OPS) > Not expected (-) > Expected (+) > Optional (~) > > Third Party Signature (3PS) > Not expected (-) > Expected (+) > Optional (~) > > Using these expectations, DSAP can cover most if not all possible Boundary > Conditions for DKIM signatures. > > I would like to re-propose DSAP but this time as a DMARC extended tag > extension `-dsap` as I believe it can address our concerns regarding 3rd > party resigners. > > Here is the 2006 DSAP proposal I plan on updating to support DMARC and > ATPS: > > https://datatracker.ietf.org/doc/html/draft-santos-dkim-dsap-00 > > History: > > The DKIM Policy Model began with SSP “Sender Signature Practices/Policy.” > This image illustrates the overall process: > > > [image: SSP Overview] > > Many today do not realize the original DKIM included Signature Policy > protocol called SSP. It was spit into DKIM-BASE and DKIM-SSP to help > speed up the process. DKIM was well defined but SSP was not. SSP covered > various signing scenarios, however, there were 3 policies missing which > DSAP covered: > > [image: v3_slide0022_image050.gif (392×199)] > > The DMARC protocol offers an exclusive only policy with > p=reject|quarantine. This would be a -dsa=OP+,3P- policy With DMARC p=none, > no other policy possible in terms of expectation other than an unhandled > failed exclusive policy. So DMARC is very limited making it a very to > integrate with today’s wide range of mail applications. > > DMARC also introduced two more takes that I would like use replaced with > DMARC and ATPS. > > For Reporting, DSAP provides tags for failure reports. This is now > well-defined with DMARC. [DSAP only considered failure reports]. > > For 3rd party authorization, DSAP provided the -asl tag. The asl tag was > an inline small domain list tag. But it can also signify a check using > ATPS for higher scale applications. > > Everything would be the same with DMARC and DMARCbis. The change would > be: > > -dsap tag for DSAP support for the complete range of possible policies. > > -asl for inline list of authorize signer support > > -atps for ATPS support > > I would also like to formalize the From rewrite logic with a tag: > > -rewrite > > Which tells a resigner it may rewrite the From under certain conditions. > > -target is a new tag to help mail forwarders. > > DMARC has considerations for SPF results with a strong alignment > requirement. One scenario where a -dsap=op+,3p- is with SPF hard failure > during mail forwarding. The -target will allow a forwarder to resign as a > 3rd party without -asl or -atps requirements. > > — > Hector Santos, CEO/CTO > Santronics Software, Inc, > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] DSAP "DKIM Sender Authorization Prot… Hector Santos
- Re: [dmarc-ietf] DSAP "DKIM Sender Authorization … Douglas Foster
- Re: [dmarc-ietf] DSAP "DKIM Sender Authorization … Douglas Foster