Re: [dmarc-ietf] ARC questions
Michael Thomas <mike@mtcc.com> Wed, 02 December 2020 20:13 UTC
Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE3513A1550 for <dmarc@ietfa.amsl.com>; Wed, 2 Dec 2020 12:13:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ahATtv24AJE for <dmarc@ietfa.amsl.com>; Wed, 2 Dec 2020 12:13:48 -0800 (PST)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F3C33A1568 for <dmarc@ietf.org>; Wed, 2 Dec 2020 12:13:47 -0800 (PST)
Received: by mail-pf1-x433.google.com with SMTP id o9so1940878pfd.10 for <dmarc@ietf.org>; Wed, 02 Dec 2020 12:13:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=R4Fc1Eybq3Tga7SsXo5PIDScEkn3zlnp3jAuzQ0GJiQ=; b=JU+GTAJSNF81FARGXk14F3dvnaPBMlqeTvTV2PGmKuEIEx9vx1y2Qs1r3DxQGuUZIG Bz3+jWW0K+I9y3GREzFIjH7LFbllf+AH8+j0wCTmS455dABN+UNpGN80d3RBx3o6FaTT kMkgtkk284yblkalj+GBawsnNe3Qx2YwL4NJIprsqZ4/vZvOpkgmrxlz72XpSCKIaRfI 53XSC42/FxcNGihsvcFso1x42SBP442613MsHfjyRYodkvzSskPWWiHxJSU74yo1us7Q hDXSKCu2mwIms8HP0GV8q/wwzV1MJ6s4EJ4kolwwtshrvJnuSjOt2zUr51nFljoqR92E 9xNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=R4Fc1Eybq3Tga7SsXo5PIDScEkn3zlnp3jAuzQ0GJiQ=; b=pZzqVFB22+7ZXL3pxUCSLSBbPQh6aDJ6pXoU8BmgK7aSuoA0zfea9y/b5kOeLoJu4U N8P0Q3BMPs/0JDeMOcNSOkpjVy+s4NUd1eK6nKhtrS/WYMe+O12GDonp31tciGZnHONX e67e3bFNcf7LiCEhhvboTH/ghG0kwmPjem7wWeNbV6ORR/ANVYMBIRftUiaOqo1WXgYb PzyeQd2mSlBsFrN0G5R2a9D+3MEzQGzzTCpkjv1+e+FlDNPHORwBK638Gejesn5LzlF/ L36xA4tXN4K9F/1KbfM9Hkh+vWndXSGd58Ixb+tY2q+5mq7txnhbRfirQCSTRyGF5+Ib 4BYA==
X-Gm-Message-State: AOAM530GmY6oTopLwazQmnTh9FYvn4Ep12RRptqwh9Qfw4C1/MLCf1E+ l/6CxzOE6MY7E70AFWtfVqQi3HtWFySjZQ==
X-Google-Smtp-Source: ABdhPJwZ/Fn0NBOxQV6gv/WOL4qirotOs/cy0cLjO9Pu9bqSKBfECWOGxv9HImy7r4kQPsAnNOdVQA==
X-Received: by 2002:a62:1942:0:b029:197:e232:cfd4 with SMTP id 63-20020a6219420000b0290197e232cfd4mr4142615pfz.53.1606940026946; Wed, 02 Dec 2020 12:13:46 -0800 (PST)
Received: from mike-mac.lan (107-182-42-33.volcanocom.com. [107.182.42.33]) by smtp.gmail.com with ESMTPSA id l66sm519933pgl.24.2020.12.02.12.13.45 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 02 Dec 2020 12:13:46 -0800 (PST)
To: Brandon Long <blong@google.com>
Cc: John Levine <johnl@taugh.com>, IETF DMARC WG <dmarc@ietf.org>
References: <20201124020453.AFDC027CE5C8@ary.qy> <cd855b53-d9bd-3412-3bd5-dc4b7720dc5c@mtcc.com> <CABa8R6s0bfs87Fu9eOq_R3WH1pngauVXrw3RSPe9iWWCtf3AmQ@mail.gmail.com> <c954eadd-5c85-c0d9-2168-8a42de506b72@mtcc.com> <CABa8R6swzAQLPU=xE2tr1W0J5r+w80BSYu87_ubMwHaUMgmKvA@mail.gmail.com> <1eed8278-4efa-4abc-15e0-2efcf014e82e@mtcc.com> <CABa8R6sEk+dHwHjBCKDgcmeT_Z3FymC5+jzy-GGa=7gJYvOf5A@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <446d491b-100a-9813-6463-2294f67bbda7@mtcc.com>
Date: Wed, 02 Dec 2020 12:13:44 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <CABa8R6sEk+dHwHjBCKDgcmeT_Z3FymC5+jzy-GGa=7gJYvOf5A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------BDD9B3FB7F2111D02A8AE5C8"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jAFgD9-w2NA4OzxWrF7fQ1BjEFs>
Subject: Re: [dmarc-ietf] ARC questions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2020 20:13:51 -0000
On 11/30/20 9:43 PM, Brandon Long wrote: > > To summarize what I said already in this thread, DKIM is taken by many > receivers as the responsible party for a message, in both spam and > phishing classifiers, with the latter being perhaps more relevant. > DMARC is the one example of that. DKIM signing a message that > transits your system allows for reputation washing of the original > message. The ARC chain is specified as a relay responsibility, which > is a lesser burden. > > Ignoring the existing usage of DKIM, DKIM+A-R would only work for a > single hop, and lead to some complication compared to the other DKIM > signatures already on the message. Wait, what? a DKIM signatures survives until it encounters an intermediary that alters the message in a breaking manner. Arc-Signatures are no different in that respect. In fact as far as I can tell they are identical modulo the i= difference. > > DKIM is not the only thing that can be reputation washed, SPF can as > well. 821.FROM rewriting is more common, so there are work-arounds. > OTOH, SPF doesn't survive forwarding, but with ARC you can forward > it. DKIM+A-R would only work for a single hop, and lead to some > complication compared to the other DKIM signatures already on the message. > So mtcc.com <http://mtcc.com> is now hosted by gsuite (::sigh::), > so you're saying that it would run into problems? I haven't put up > a DMARC policy, but if I did I might run into issues with false > positives? Like I said, I'm trying to get my head around what the > actual problems are, and this is coming from a person who stressed > mightily from the very beginning about the mailing list problem. > > It's unlikely you have a complicated mail flow involving multiple > vendors, but certainly there are plenty of configuration options > alllowing folks to shoot themselves in the foot. By definition a message hitting the front door of the destination domain (via an MX record) sees the DKIM signatures in the message and can process them at that point, or at some point before other manglers get a hold of the message. I don't see why we should care at all about what happens beyond the destination domain's front door because that's their problem not ours. The entire point of DKIM is the inter-domain case, not intra-domain. > > > With ARC, we can instead say "trust this arc admd" and have the data > passed directly, and also work around the DKIM breakage. But ARC suffers the same breakage with the ARC-Signature. And if the ARC-Signature is broken, you can't trust the sealed data because that's a trivial cut and paste attack as far as I can see. So I'm just not seeing how this is any better than just a plain old DKIM-Signature with the old auth-res renamed and signed since you can already for 15 years trust signing intermediaries or not. > > As for another comment in the thread about adding two signatures per > hop, there was a suggestion that it could be replaced with a single > signature per hop near last call with some loss of information > (maybe), but it was decided to move forward with the existing solution > that already had several implementations and was experimental anyways. > As I said elsewhere, since this is an active experiment and it's already been a year, it might be good to start documenting what the experiment is teaching us. I still after many messages have no clue what what ARC does that DKIM+old-auth-res cannot beyond tying the authres and signature together. It would be nice to know in a quantitative way why that is important, as well as any other things that cannot be done with DKIM+old-auth-res. In fact since I expect that most signature breaking intermediaries DKIM resign the messages (and if they don't thay aren't going to do ARC either), it would be very simple to chronicle how the two approaches differ in efficacy. The same reputation look for ARC can be done for DKIM too, after all. BTW: i can understand not wanting to touch DKIM or AUTH-RES proper for an experiment, but a standards track document should really consider just adding the binding tag to DKIM and Auth-res. They were both designed to be able to do that. Mike
- [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions Kurt Andersen (b)
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Douglas E. Foster
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Douglas E. Foster
- Re: [dmarc-ietf] ARC questions Joseph Brennan
- Re: [dmarc-ietf] ARC questions Todd Herr
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Doug Foster
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Todd Herr
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Seth Blank
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Douglas Foster
- Re: [dmarc-ietf] ARC questions Murray S. Kucherawy
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Murray S. Kucherawy
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Murray S. Kucherawy
- Re: [dmarc-ietf] ARC questions Alessandro Vesely
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Benny Pedersen
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas