IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

"Murray S. Kucherawy" <superuser@gmail.com> Tue, 18 August 2020 00:36 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAE713A14EE for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 17:36:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZBAZbWGWB-yV for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 17:36:51 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C2663A14ED for <dmarc@ietf.org>; Mon, 17 Aug 2020 17:36:51 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id a127so2481713vsd.1 for <dmarc@ietf.org>; Mon, 17 Aug 2020 17:36:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jeJmAateNPJ5VgNMtTp3XeMvWQPbVgm+P25aT2I68RU=; b=jqmpOdpt28/IB3PYjBjeRYX2Bhaw8d54GTe3w5Gns6v7Ap8CehYRTWhUIyJyCFj64p /neor1gmm4zECodLJ1bKd7H1F6mukK+h4JYwJ9Fh3clOmz3N0jm+BiQ5jYUF+UIPwvvw Q77TlyekhNcdymYiUCUGECbtZO1Tl7GeGMCPoQlMWtCbkywJtIF/cA5Vb3Y+YtrreSMO XtdbG/DXQbD0GL0flLwqzGG44a3nFFkgL0RAv7v0ZeA09g6WVoIfE9iWbkANPQhUSVj8 PDqi3XHOB20O9qNlrfsjMmz2wdhHrsGELkJUleOPhyacy4UEsvDbi0WB/oUR/baDWBUj Wt9w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jeJmAateNPJ5VgNMtTp3XeMvWQPbVgm+P25aT2I68RU=; b=ktZxnXmrSM7j9YuaTzBc9VcHg1CNbge80UUsy5xlZFcZ8djJnSFnN99m0xkhaC4tZF HDcrm+P4UvKweO4++HCWh/tUwY7TFxjb1tlrgWh698A+hhHGPNWfp07HRycUe+zfQzXV IXgNQdWAQZm0+Zs+BjNngmCunHj8Z93eeE+kSG16NcOoGyljRCvRB2zsp04/fi4SVIxX SzZi7RjFpctaC+n7IJOOykqRIX6K0bKZMnSXsVqMhQrFcGVIfNK+/OXCTDtz7RcKjtc2 /GGY0zfI+zaRYc7F4iEg0MuoQ0MqCVJijnyfV5M0p8Me0Hvr3aOirxfurKm748+3hjy+ hXlQ==
X-Gm-Message-State: AOAM5335OxuI+noyM2DkTN1+Bcd4qnkhr4sOQhff4DG17eXb42r0ecmM TLxIQUGw5tPgZkDwhaBZiEQCib0kkv5rj3ypM69OSQ4H
X-Google-Smtp-Source: ABdhPJxGuFi/fkU0z7sSownGOwUsGG3Zr21ndfnP/telJJOn7uDOCKRfPJlXC4vrbKt9t+8SE3yAF83/NxZ31Cjm/xQ=
X-Received: by 2002:a67:eb91:: with SMTP id e17mr9819195vso.7.1597711009961; Mon, 17 Aug 2020 17:36:49 -0700 (PDT)
MIME-Version: 1.0
References: <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL=g@mail.gmail.com> <20200814164237.313071E971DB@ary.local> <CAJ4XoYeqj_5mpZu1PZP4rNfrWRyC5gC-2dfK7oX9xQHiR24QeA@mail.gmail.com> <085c6a5f-5451-ae8c-4873-133673ba1754@tana.it> <CAL0qLwaVUi9QtV4zcCwncuy4N3YPwsGZPzFfd1q19io79UG2VQ@mail.gmail.com> <6755d0cef49e465bbf2bd170dbdc6aa3@bayviewphysicians.com>
In-Reply-To: <6755d0cef49e465bbf2bd170dbdc6aa3@bayviewphysicians.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Mon, 17 Aug 2020 17:36:38 -0700
Message-ID: <CAL0qLwa53ANAOEiQ3Qa_cqv+cUya8yWyDdVm3XzGPO8xx=0HAw@mail.gmail.com>
To: Doug Foster <fosterd@bayviewphysicians.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000033d88005ad1c15c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jhcE4JEeUHBK2GM-hLdI-s89sJE>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 00:36:54 -0000

Still as just me:

On Sat, Aug 15, 2020 at 3:34 PM Douglas E. Foster <fosterd=
40bayviewphysicians.com@dmarc.ietf.org> wrote:

> Based on the discussions here, it appears that the notion of From address
> validation was envisioned from the beginning Sender Authentication
> discussions.    We have written evidence that Form address validation was
> anticipated in the DKIM and ATPS RFCs prior to DMARC.    So we have more
> than a decade of warnings that From address validation was coming.   While
> not everybody has time to read every RFC, the Mailing List trade press must
> have should have been reporting on it as something to watch.
>
I don't follow the logic here.  DKIM, as I recall, expressly disavowed any
assertion that could've been taken as From address validation.  (I think it
was in there before RFC 4871, but we collectively decided to remove it.). I
don't know how one could have inferred imminence from that.

ATPS is an Experimental RFC.  It was meant to, in some ways, augment ADSP
when we'd already figured out the damage it could cause.  The purpose of
publishing it was to get everyone (for some value of "everyone") to agree
on a protocol to use to provide third-party signature authorizations and
see if it was a useful response.  The silence was deafening.

Even after DMARC was in use, it appears that nobody in the mailing list
> community felt inconvenienced until the AOL/Yahoo hack and their decision
> to implement DMARC with p=reject.   This was the moment of Unhappy
> Surprise.    Bad guys had obtained many valid email addresses, so one of
> the concerns was how to prevent them from spoofing those users to send
> spam.   They could not use those address in the SMTP address because of
> SPF, but only DMARC could prevent those addresses from being misused in the
> Message From address.     It was the obvious thing to do and it would have
> been reckless for them to do otherwise.   Can you at least admit that the
> mailing list community was surprised because they failed to prepare for
> this contingency?
>
I wouldn't characterize it as "failure".  If you agree that DMARC's
antecedent is ADSP, I believe it had already fallen into disfavor to the
point where nobody was really worried about it anymore.

But I would agree that nobody anticipated it, especially since DMARC itself
and RFC 6377 both warned against its use for this very reason.

[...]  As a result, mailing list operators really have no standing in this
> discussion, although they can certainly speak as unhappy individual users
> and on behalf of their unhappy users.
>
I suggest that's precisely what gives them standing.

Consequently, the real problem before us becomes the existence of users who
> are unhappy because the From address on some mail does not meet their
> preferences.    I have to ask why that is a problem worthy of a standards
> body?     I have about 8 different scenarios in my head where a user might
> be have unmet expectations with the format of the From address, or might
> experience mailing list deliverability problems because of the email
> filtering policy of its domain relative to the addressing practices of his
> mailing list.   If our requirement is to make every user happy, shall we
> head down the path of all 8 problems, not just this one?
>
If all eight problems have been raised and acknowledged by the chairs, then
I imagine the answer to your question is emphatically "yes".

Though published as an RFC, DMARC was not an IETF consensus document.  The
remit of this working group is to come to consensus on a set of changes
that qualify it for the standards track.  We do that by considering the
perspectives and issues raised during that process and coming to consensus
on their respective resolutions.


> This project was supposed to discuss moving DMARC from informational to
> standards track.   It has been hijacked by those who, to paraphrase
> Shakespeare, “have not come to praise DMARC, but to bury it.”   This has
> been abetted by the chair’s assertion that we must square a circle – meet
> the MLs requirement for them to impersonate without authorization while
> continuing to advance the DMARC requirement to prohibit impersonation
> without authorization.
> [...]
>
I have not yet seen any assertion that DMARC needs to be buried.  In fact,
revisiting its assumptions is a perfectly feasible way to come to consensus
on its goals and how they might be achieved.  If DMARC was founded on false
premises, that plainly needs to be considered and possibly fixed.  That can
only strengthen it.

None of this discussion seems invalid to me.

As part of that hijacking, we have been inundated by Mr. Crocker’s
> assertions that the message From Address does not matter.  All the years of
> theoretical analysis that preceded DMARC and all of the operational success
> from implementations of DMARC are just wrong, simply because he says so.
>
It's not simply because he says so.  At the time DMARC was on the drawing
board, the MUA game was different.  We talked about this a lot back then,
and it was discussed previously in this working group too.  These days,
there's evidence to suggest that the domain name is rarely visible.  If
that's true, I claim it's a valid thing to revisit whether DMARC as it's
currently designed is providing useful protection especially with respect
to the disruption it causes elsewhere.


> More importantly, this discussion has failed to address the actual
> objective, which is to solve the asserted Mailing List problem as it
> relates to AOL/Yahoo/Verizon.   That enterprise does not seem to be
> involved in this process, and no one has offered reason why they will be
> swayed by anything said here.    The strategy seems to be that if we tell
> these people how stupid they are, that they will do whatever we tell them
> they must do, even if the solution is to weaken security for everyone on
> the Internet.    That is not a winning strategy.
>
I think this is all a little hyperbolic and not especially constructive.

RFC 7489 was co-edited by a Yahoo engineer.  I'm pretty sure she's paying
attention, either here or in related industry trade groups.  The others are
probably at least being made aware of it via the latter.

The IETF is not the protocol police.  If you need evidence of this, simply
note that RFC 7489 was deployed despite who participated in its development
and how many consensus documents warned against its use in mail flows where
Mediators are present.

DMARC has been mandated by at least three national governments,, by a
> variety of businesses, and by this one consumer-oriented email hosting
> service.   It is here to stay, and any extensions to the specification will
> need to improve security, not weaken it for the benefit of a special
> interest group.
>
This sounds a lot like an argument from authority.

There is no doubt that anti-phishing technologies are critical, and it's no
surprise that a protocol characterized as effective against phishing is
being widely endorsed.  The question being proposed here is whether DMARC
actually still fits that bill given the current state of the industry.  I
suggest that this is a perfectly valid question, and I would really like
you to explain why it should be declared moot or off-topic.

Instead, we should be anticipating that the U.S. government will begin
> mandating DMARC for its contractors, in phases based on contractor
> categories.    Simply requiring it for Department of Defense contractors
> would be sufficient to include most of the major research-oriented
> universities.   But every school that takes student loan payments is also
> considered a government contractor, which covers almost all of them.
>  Every branch of state and local government also feeds from the federal
> trough, and concerns about election meddling means that they are likely
> targets for voluntary or required implementation of DMARC.   Essentially
> every health care institution is also a government contractor, because they
> take payments from Medicare or Medicaid, usually both.
>
Yes.  Wouldn't it be an atrocity if they bolted their security stories to a
lemon?

It is time to begin a discussion rooted in what is feasible, and what is
> appropriate for IETF to undertake.
>

There, we agree.

-MSK

v2.23.0 | Report a Bug | By Email