IETF Logo Mail Archive

Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication

Hector Santos <hsantos@isdg.net> Tue, 11 June 2019 16:38 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 592131203D3 for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 09:38:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=K04uzQHm; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=lMnht6/l
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Op10S8HD1Ra for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 09:38:48 -0700 (PDT)
Received: from mail.winserver.com (pop3.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 606D2120386 for <dmarc@ietf.org>; Tue, 11 Jun 2019 09:38:26 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=6849; t=1560271099; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=5Zg9xYF5Q5Ay/Pux/jTa1F3vRNk=; b=K04uzQHmGJiklZQoGPQXryOKHjzc3Ga/hOe1V7+e+gKGNLtbgQ1mgE0myOqAYF 5SOFOOQ8Y/z68jrnNSBJ9OG9q2wrCA7ZDrGo9wGbgvX4xBRvfxbnZm5PrztJjPO6 9MulGOyq8+PiLh0f2ZBJK2kBtbCAy/4qS4P5wWZ5afmnU=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Tue, 11 Jun 2019 12:38:19 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 1063538845.1.5672; Tue, 11 Jun 2019 12:38:18 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=6849; t=1560270899; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=4HDlfcY 2OP5gTocPD8LF2IrOBDkVMmYTugFwGIvp0RE=; b=lMnht6/lmL+ez9j+VT5vvGu /aT/malSf6Ll2RFnmi5DG/xlGEc6rdCbEmhTOvI1KRx0Q4OaBq4crN2WJ2OYo3ta U4S4yEHvLqtdbz2RKn86up73mgwu02LF2iGQy3D9ymHiV7Tva5rPYk/SVUPIjx23 qa4aw+/QJOebZELaXFak=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Tue, 11 Jun 2019 12:34:59 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 2635754504.9.245780; Tue, 11 Jun 2019 12:34:58 -0400
Message-ID: <5CFFD8F7.9030109@isdg.net>
Date: Tue, 11 Jun 2019 12:38:15 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <20190603142956.66B31120252@ietfa.amsl.com> <45cdc0da-5243-3a62-b217-8d5e4ea9ea11@dcrocker.net> <941abdbf28684283b972f69f25876220@bayviewphysicians.com> <5524dbb3-27ff-4aa8-aaf0-fc3a3fc23418@dcrocker.net> <1df2cc6b-c169-59ca-08f6-dadc06a702c6@tana.it> <1e096404-6b00-8896-0b79-841c243cacec@dcrocker.net> <7f8692bb-6b80-455e-f030-731f3ae36b58@tana.it>
In-Reply-To: <7f8692bb-6b80-455e-f030-731f3ae36b58@tana.it>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/iWhRyZasRsekuUzzoB4KpTSrj1A>
Subject: Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 16:39:22 -0000

On 6/11/2019 11:12 AM, Alessandro Vesely wrote:
> On Mon 10/Jun/2019 22:17:01 +0200 Dave Crocker wrote:
>> On 6/10/2019 1:17 AM, Alessandro Vesely wrote:
>>> On Sat 08/Jun/2019 18:49:03 +0200 Dave Crocker wrote:
>>>
>>>> Except that most users don't actually see that address because these days most
>>>> MUAs only display the display address.
>>>
>>>
>>> We often came across this realization.  Since DMARC hinges on that field, I
>>> think the spec should include some advice to MUA implementation.
>>
>> Unfortunately there is no 'advice' to give that has any utility.
>>
>> If you feel otherwise, please try to formulate it, including the basis for
>> believing it useful, and then try to get community support for it.
>
>
> I'd propose bullets like the following for Section 12.4:
>
>      o  In the MUA, it is safe to only show the display name if its
>         correspondence to the email address can be verified by looking it up in
>         the address book or similar storage.  In case a display name compares
>         equal to one that corresponds to a different email address, such
>         discrepancy should be enhanced unless the two email addresses are
>         established to be equivalent to each other.  Email addresses are
>         equivalent when they correspond to the same person, or to the same role
>         within a given organization, or, in practice, when the user says that
>         they are.
>
>      o  The authentication status of the message should be visible.

These are good for a online MUA system where the backend has both 
verification and display controls.

With an offline MUA, where we have store and forward, there is the 
"who was the verifying domain" trust issue. If the backend is not 
going to clean it up, make it safe for the user's MUA to pick the 
mail, then it has wider chance of user security concerns and issues 
due to lack of persistency and consistency in offline MUA behavior. 
With a hybrid, the MUA is more in sync with the backend operations, so 
rather than the MUA doing the calculations based on the data it has, 
the backend supplies the indicators, public or proprietary, for the 
compliant hybrid MUA to display.

As a developer of MUAs, offline, online and a hybrid, with Native Gui, 
Text-based (ANSI/VT100) and HTML-based Messaging UIs, there has been 
many single sourcing and integration considerations.   Overall, we 
only have open standard RFC5322 protocol to communicate between the 
MSA/MTA/MDA and MUA.  I think the "battle" or "dilemma" has been the 
trust of the A-R header verifying.domain" header created by the MDA 
mail receiving/inbound components performing the DKIM verification. 
Can the MUA trust the verifying.domain?  A possible MUA design tip 
could be to add something equal to:

   [_] Trust the Authentication-Result Verifying Domain IFF it matches the
       the Authentication Login (Mail Pickup) Domain Server.

or something along those lines.  With the MUA I used personally 
(TBIRD), I created a rule to highlight, color tag the  Pass (Green) 
Fail (Red) DKIM results read from my backend verifying domain A-R 
header. Others A-R beader are ignored.

Each MUA can implement this idea their own way. But it is important to 
consider the different MUA designs. With Online, like a Web-Mail 
interface, this offers 100% backend UI design controls, single sourced 
and safer for the end-user.  It is easier to explore the integration 
requirements.  With offline/hybrid MUA system needs are more complex 
and the ideas will need to be translated into a RFC5322 meta-headers. 
   Of course, the offline MUA can do the DKIM verification itself.  It 
has always been in interesting idea to see what comes about.  While I 
recall some earlyr 3rd party Add-on attempts, I personally have not 
see too much in this area with MUA vendors themselves.    We won't see 
persistency and consistency here.   Hybrids is what I expect more to 
happen where the backend can add more "meta-data" designed for the 
proprietary hybrid MUA to understand, and its not just for DKIM 
security but a broad range of MUA A/A concepts.

>>> A trust on first use (TOFU) approach would seem to be possible.
>>
>> In practical terms, what does that mean?  Who does what, exactly?
>
> A discrepancy can be enhanced by bold characters, by a pop-up, or by a beep and
> an alert message.  Anything but silently displaying a familiar name which
> actually stands for something else.
>
> A user can then arrange her address book so as to make it clear to the MUA that
> a class of email addresses are equivalent to one another, in order to avoid
> meaningless alerts.

Good ideas for MUA implementations, not sure how we can standardize 
this though. Lots of psychology involved. In fact, with the Red/Blue 
color tagging I've have in Tbird,  I haven't been paying too much 
attention to the RED tags I see
due to DKIM verification failures.  If I see both a red and blue, that 
tells me most likely an original DKIM signature was broken (RED) but 
it was resigned with 2nd list server signature (GREEN).

For Private 1 to 1 communications, I would not expect to see RED here 
because there should be no middle ware interference, but there are 
non-list related indirect scenarios that can cause this.  I wouldn't 
expect it though.

>
>
>>> Does this subject deserve a ticket?
>>
>> Since it has nothing to do with errors or problems with the current spec, I
>> don't see how to justify a ticket.
>
>
> Section 12.4 seems to have some problems.  The first bullet should be reworked,
> because it can be understood as suggesting that in cases like, for example:
>
>      From: "user@example.org via Bug Tracker" <support@example.com>
>
> a _MUA_ should "execute the DMARC mechanism on the domain name found there
> rather than the domain name discovered originally."  That sounds nonsense,
> first, because MUAs should rather base on A-R records added by the MX.

This is what I meant above.  You are proposing a trust concept for the 
MUA on which A-R record to "believe."

The MUA needs trust on the meta-data headers it sees.  In theory, it 
could trust (with higher confidence) the headers added by the user's 
mail hosting provider or the server the user logged into, or basically 
the last processing machine at the hosting provider.

Maybe Murray can comment on this, I don't recall seeing a discussion 
where the A-R verifying.domain was tied to some trusted hosted domain 
we have confidence in.  Can the MX or MDA domains be associated with 
the A-R verifying the domain?

Right now, the only A-R header that can be trusted is the last one 
created by the receiving domain for in-house use, or a Web-mail 
interface or for a hybrid.  For a offline reader, the user will need 
to make that the RFC5322 scripting designs or the advanced MUA can 
offer an option to make that trust association.

-- 
HLS

v2.23.0 | Report a Bug | By Email