Re: [dmarc-ietf] Third party signatures
Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 16 May 2023 11:07 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CE49C1519A1 for <dmarc@ietfa.amsl.com>; Tue, 16 May 2023 04:07:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1vsLShj_pij for <dmarc@ietfa.amsl.com>; Tue, 16 May 2023 04:07:01 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBFFFC151530 for <dmarc@ietf.org>; Tue, 16 May 2023 04:07:00 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-4f14468ef54so16281290e87.0 for <dmarc@ietf.org>; Tue, 16 May 2023 04:07:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684235218; x=1686827218; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=bVV5sepLhNCafBNRHr3DN5WPBAKi6ZGwt0Q1MB9jMdg=; b=e4SIsaIQjNkLsVNGt1fAZEVlhHXWlffymQM5f1Uo0bfUpAQobUuoI+5hilSP2eCC+R ltYwK8ozbsiXQdUpJr88BV4Y0+fRsEekI2PcBdNgp2qqgjuY7NL/JQyLpC39/o6rED+r RUcG4qkqsXRwxp/Vcp9MO8e6h/JdYSHg3fy8C6fRbB3J5M5upBWTDn/iAmUHciGnv0GO f39MF6DWFZ++dM0t+HfUgigwgDpWCM8k1j5fAKNtxNXJx6WcgXrbLi0KV+8OjlohL30l Dt5kUp4M8rBEFPkYD3HBookfs6tBqj9+y2Rw5L4HpSlAtoYDFyl48EWCSTC5L4VTVpsM Mc/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684235218; x=1686827218; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bVV5sepLhNCafBNRHr3DN5WPBAKi6ZGwt0Q1MB9jMdg=; b=k4DI4jHcCuwPIeQ7DtbpJQyWvRd3zfT44wsJohK18TI5gZpnm28wgN5e0JnwR72lmW hXkGDYmslTAwr/VvntGZjjYYrt+58QYgJ3FgipF69P4yCLv9/ptOQ9eCKVd+Qqrfg/eC dcbKa7WPOfSU4Do5AmazCI1H7Ldih4YRkkeuLXrWANWyjBf77HGaen0E1b4V9BYhQruK 5qV5RL2DFqMlJ7hWSgZdJKFvDHfcNiis5xUCvVAWEdpt/vm8gpqMxJJGp7jcv6NDjlua usfECow3d2+B6a0dJncduzdFXRxZbjcCoiOjDc4JHji79iSw+7pB37ztpYFMVxLRBVqN r8aw==
X-Gm-Message-State: AC+VfDyFpFvyrgSCXVpdXFIcaKSJZ0m64GkbiIFIuUEBQLyJeDEBjHSJ 7vvq/HwezAXmYWdIqx6wIrTgHdyX3QPR/qWLWkCk7FXk76E=
X-Google-Smtp-Source: ACHHUZ4w8LJD7/vwZQrgb3wbYjg3p115o8bxSFx0ZiSFwWA+6n4eJNG0AR1kV93gNuobiAiyh5e5w+YwrXyqoa4Bk0w=
X-Received: by 2002:ac2:53ae:0:b0:4ef:ec33:9155 with SMTP id j14-20020ac253ae000000b004efec339155mr7306722lfh.28.1684235218228; Tue, 16 May 2023 04:06:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwa9DoTCVCOOgrB1NySd2-aE-5wVSGsLNh=8k7xwDLgrTw@mail.gmail.com> <20230502170640.E2095CAA204B@ary.qy> <CAL0qLwYQLmJiG9wjyim42xPiQvXZxNxoV0j2HtxZeAV1bAWz=g@mail.gmail.com> <CAAFsWK1fcsdse9EVKaeEerV14Zx0imuM2yAZLxGPzZUEZRvvjQ@mail.gmail.com> <710950a7-3d6b-cc12-0529-89f17dd640bc@taugh.com> <CAAFsWK21NSoPhmmiX_aKzYWsfdEYVSVY1QiX8p9r8rXUGdHzQg@mail.gmail.com> <6462EB35.5040600@isdg.net>
In-Reply-To: <6462EB35.5040600@isdg.net>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 16 May 2023 07:06:47 -0400
Message-ID: <CAH48ZfyN97G8rQmsJVB-+8=jd4RSQC+7cZ8s1ubdnVuL3E-qrg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6a0fb05fbcd91ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/j_SWCu2EKxayw5r5OGXT0FhiWuQ>
Subject: Re: [dmarc-ietf] Third party signatures
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2023 11:07:05 -0000
Hector, my life is short, and this group already takes up more of it than my wife wants. If you are a subject matter expert on all of those RFCs, we need you to summarize the relevant pieces for those of us who are not. But you imply that if I read all of those RFCs, I would see that your third-party authentication proposal is the solution. I don't see that happening, and I am looking for you to adapt your pitch in the light of the pushback that has been given already. To recapitulate one aspect: Today, mailing lists ask this: "Subscriber evaluators need to trust any From address for messages that are verifiably from the List Server's MailFrom address." Third-party authentication with DNS entries asks this: - The subscriber asks his admin to publish trust for the list server domain to impersonate the subscriber domain, without limit. - The domain admin publishes the trust indicator - The evaluators (which are usually the same domain admins) also choose to accept the trust indicators from other domains. The first step requires communication flows that may not happen. The second and third steps require grants of trust that are not easily obtained. If the process breaks down for any one subscriber, the necessary exception mechanism for every evaluator is: "Subscriber evaluators need to trust any From address for messages that are verifiably from the List Server's MailFrom address." Of the proposals on the table, Murray's has the advantage because hashing solves the scaling problem. But even Murray has lost hope of it being accepted. As for ARC, please take a look at the forwarding section of my Best Practices draft. I lay out the reasons why evaluators need to know whether a message was forwarded or not, and suggest a half dozen or so clues for detecting a forward. It is pretty obvious that ARC is the most useful entry in the list. By providing data that helps support the mailing list trust request, it moves the needle forward in a way that third-party authentication does not. ARC also provides value for forwarding situations other than mailing lists. Doug Foster On Mon, May 15, 2023 at 10:32 PM Hector Santos <hsantos= 40isdg.net@dmarc.ietf.org> wrote: > Wei, > > Have you studied the past R&D and functional specifications, architectural > surrounding SPF and DKIM leading up to DMARC? > > RFC5598 Internet Mail Architecture > RFC5322 Internet Message Format > RFC5321 Simple Mail Transfer Protocol > RFC4405 SUBMITTER SMTP Service Extension > RFC4406 Sender ID: Authenticating E-Mail > RFC4407 Purported Responsible Address (PRA) > RFC4408 Sender Policy Framework (SPF) > RFC4686 Analysis of Threats Motivating DKIM > RFC4870 DomainKeys > RFC4871 DKIM (RFC5672.TXT, RFC6376.TXT) > RFC5016 Requirements for a DKIM Signing Practices Protocol > RFC5451 Message Header Field for Indicating Message Authentication > Status > RFC5518 Vouch By Reference > RFC5585 DKIM Service Overview > RFC5617 DKIM Author Domain Signing Practices (ADSP) > RFC5863 DKIM Development, Deployment, and Operations > RFC5965 An Extensible Format for Email Feedback Reports > RFC6376 DomainKeys Identified Mail (DKIM) Signatures > RFC6377 DomainKeys Identified Mail (DKIM) and Mailing Lists > RFC6541 DomainKeys Identified Mail (DKIM) Authorized Third-Party > Signatures > > I find it technically unfeasible and non-logical to support a high > overhead, complex ARC concept that has no promise of any solution for a > DKIM Policy model we have been seeking since 2005. > > What are we solving in the first place with ARC? The ability to revert to > original integrity due to unknown middle wares changes? What ever happen > to passthru mail transports? > > In my technical view, it has been the PORT 25 unsolicited 3rd party > signature unauthorized by the author domain due to the dearth of scaled > AUTHOR::SIGNER Authorization methods. ARC is not resolving this problem. > The overhead is horrendous. > > We have been seeking deterministic protocols to filter out failures with > zero to low false positive. Diffusion by Osmosis! > We don't have it today. It has been made more complex than it really > is. I recommend to study the past work. > > Thank you. > > -- > Hector Santos, CEO/CTO > Santronics Software, Inc. > > > > > On 5/15/2023 5:02 AM, Wei Chuang wrote: > > That's a good point around ARC as that's what it was meant to do. And > that got me thinking that it might be helpful to systematically compare > the different proposed approaches and their pros and cons. The next > approach would be to consider the general approach of the reversible > transform idea that several folks have proposed, and how that would look. > And that got me rethinking the "DARA" work that we're already prototyping for > DKIM replay mitigation, if it can relate to mailing-list and forwarder > modifications and I now think DARA can help here too. The three > different approaches have distinct pros and cons. > > The following is a summary of the comparison. Attached is a more detailed > comparison as PDF that tries to work through what the algorithms would > likely do. > ARC > Use ARC to override the SPF and DKIM results at Receiver by those found at > the Forwarder. > > Pros: > > - > > Uses existing SPF, DKIM and ARC standards. > - > > Tolerates header and body modifications > > Cons: > > > - > > Receiver must trust the ARC headers generated by the forwarder. > - > > Receiver must trust the modifications the forwarder made. > - > > Receiver must trust that no ARC replay occurred > > > Transform > > Proposed in draft-kucherawy-dkim-transform > <https://datatracker.ietf.org/doc/draft-kucherawy-dkim-transform/02/> where > the forwarder can specify a "tf=" tag that specifies addition of Subject > header prefix, text footer to a mime-part, mimify plaintext, and adding a > mime-part representing a footer to an existing mime-tree to the > DKIM-Signature. These all may be reversed to recover the original > signature. > > DKIM-Signature: d=...; tf=subject,mime-wrap, > > The ideas in draft-vesely-dmarc-mlm-transform-07 > <https://datatracker.ietf.org/doc/html/draft-vesely-dmarc-mlm-transform-07> > are conceptually similar though add support for ARC. > > Pros: > > - > > Tolerates header and body modifications > - > > Identifies the modifications > - > > Does not require particular trust of the forwarder to be non-malicious > > Cons: > > - > > Receiver must trust that no DKIM replay occurred > - > > Might not compose across multiple modifying forwarders > - > > Might not support all possible modifications by forwarder > - > > Reversing all possible draft transformations is potentially complicated > > > DARA This clarifies the DARA ideas in draft-chuang-replay-resistant-arc > <https://datatracker.ietf.org/doc/draft-chuang-replay-resistant-arc/> > which calls for authenticating a path from the Originator through the > Forwarder to the Receiver that's tolerant of modifications. Some ideas of > a validated path are explored in draft-levine-dkim-conditional > <https://datatracker.ietf.org/doc/html/draft-levine-dkim-conditional-04>. > > > Pros: > > - > > Tolerates header and body modifications > - > > Does not require particular trust of the forwarder to be non-malicious > - > > Supports arbitrary many forwarders that may modify the message > - > > Supports protocol unaware participants > > Cons: > > - > > Requires DNS policy lookup on outbound delivery > - > > Requires additional messages DKIM signing to support Bcc/Mailing-list > recipients (each get their own signed copy) > - > > Builds upon ARC which is considered complicated > > > -Wei > > > On Sat, May 6, 2023 at 7:42 AM John R Levine <johnl@taugh.com> wrote: > >> > It is not a commitment at this time. That said, we are interested in >> > solving this problem and welcome collaboratively figuring out the right >> way >> > to do this. >> >> It seems to me that ARC provides the useful parts of third party >> signatures and, while rather complicated, has the benefit of actually >> existing. The chain of authority runs from the relay host back to the >> original rather than the other way around, but that's a lot easier to do >> mechanically. >> >> Regards, >> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY >> "I dropped the toothpaste", said Tom, crestfallenly. >> > > > _______________________________________________ > dmarc mailing listdmarc@ietf.orghttps://www.ietf.org/mailman/listinfo/dmarc > > > > -- > Hector Santos,https://santronics.comhttps://winserver.com > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] Third party signatures Murray S. Kucherawy
- Re: [dmarc-ietf] Third party signatures Wei Chuang
- Re: [dmarc-ietf] Third party signatures John Levine
- Re: [dmarc-ietf] Third party signatures Murray S. Kucherawy
- Re: [dmarc-ietf] Third party signatures Alessandro Vesely
- Re: [dmarc-ietf] Third party signatures Wei Chuang
- Re: [dmarc-ietf] Third party signatures John R Levine
- Re: [dmarc-ietf] Third party signatures Wei Chuang
- Re: [dmarc-ietf] Third party signatures Hector Santos
- Re: [dmarc-ietf] Third party signatures Alessandro Vesely
- Re: [dmarc-ietf] Third party signatures Douglas Foster