IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Seth Blank <seth@sethblank.com> Wed, 15 August 2018 18:41 UTC

Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E54EA130DF2 for <dmarc@ietfa.amsl.com>; Wed, 15 Aug 2018 11:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UoYZ7qGiHnxp for <dmarc@ietfa.amsl.com>; Wed, 15 Aug 2018 11:41:39 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9ACC130DE1 for <dmarc@ietf.org>; Wed, 15 Aug 2018 11:41:39 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id w126-v6so3628262oie.7 for <dmarc@ietf.org>; Wed, 15 Aug 2018 11:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Fvg4BP7NQ3RnXy5vrRLYfuOlkWwbr6aTFRC/GOVufJU=; b=epOAuYJYcgVhbnD5hvFTTvLov3u8nMfkmzTxGD9YrMXlgH3cKPQ3Ltdxm+WQWNSgQf suupUekKaVZS9MnjF+uiYXLaJz8dNxmHMNa4rizYt0Q4iYvegAD0qdnZAL5I5Nqkj0se 3aWF0e3LpdEF9bZPhG9TZ+wpOakpm19PRJRwPJko1dKTkx+pXiToxIQ+bWw0lc6nV2Ul BJyo3zs4OKJicxzTziS8NQNUHG8OtCHQprLn7IqpZyaHyrpsNdSwALZRVnJaiyV4frq1 cEU3cEFs6MMbcW8QVFuZSpht97Y8uNTJfPBnBN5CaKv+fhN1YHlPYKslBRn2MltLguWm D+Yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Fvg4BP7NQ3RnXy5vrRLYfuOlkWwbr6aTFRC/GOVufJU=; b=ZJz6ojt/dNk7Q9w6Y4MUarkoXmsEddUpIARtJcHeBHcIk0clYwc5zbGodEKSPKnAlf nN99V/wJ7IzNLdCnnNKzO6ovfuH17lutay5wLO0wIEpxQHPEfsqpJaUO6aMxRMYzbYbt u81vwj0YVB09f/gL3QCPzwBG5l1jz8jiJ1XodNphmzwrilgG5CtME1Nc+08hUUmKaQO2 /PP3pV8gwvXDP7WxChOkyflueXyIPYEhD6uvLFogpeqxBgrHl+8T4iKEiEhgTvMEXoiE lR42jC3d0WZUNjE6e/3J8w5/6O/i7CPlHTRV1WPHRol2gA63qUNvrH7jYC43+O4c9/2x fq8w==
X-Gm-Message-State: AOUpUlEFY9my6IwaL48p8+zySaLpdW7+huQvfrUqxa45sACrgfVkncsn UQissRXMTtRR50xf7CEevIPslNI0vXYgri8IeMk2iw==
X-Google-Smtp-Source: AA+uWPyIByoDmvZAEAdQYoMTr+QgFe8xBV7OTpxxmrd8MSxGbEA2HjDCkPgjcNzzObOlvGWqWkl6do1Hgv6KDvYStqk=
X-Received: by 2002:aca:d9c5:: with SMTP id q188-v6mr26110051oig.239.1534358498909; Wed, 15 Aug 2018 11:41:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:2646:0:0:0:0:0 with HTTP; Wed, 15 Aug 2018 11:41:18 -0700 (PDT)
In-Reply-To: <20180815183022.09ED420038205D@ary.qy>
References: <799c2b18-97fe-6e22-f2cf-49245ae9c65e@gmail.com> <20180815183022.09ED420038205D@ary.qy>
From: Seth Blank <seth@sethblank.com>
Date: Wed, 15 Aug 2018 11:41:18 -0700
Message-ID: <CAD2i3WPT4CW0M8_8mTMSNoeWCja5eHz1mq5nCNqgE7Hv+DuFHw@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: IETF DMARC WG <dmarc@ietf.org>, Dave Crocker <dcrocker@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000004933fd05737dadd9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ki2qSAbN4CkiwtEy25vlPuefYzE>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2018 18:41:42 -0000

On Wed, Aug 15, 2018 at 11:30 AM, John Levine <johnl@taugh.com> wrote:

> In article <799c2b18-97fe-6e22-f2cf-49245ae9c65e@gmail.com> you write:
> >So the extra mechanism is intended an efficiency hack.
>
> No, it also documents the fact that the chain was broken when it
> arrived at the cv=fail signer.  Without it, a subsequent hop can't
> tell.  It probably won't make much difference to spam filters, but
> it could be useful if you're trying to find and fix forwarders
> that make gratuitous changes.
>

Exactly.


> I think there's a modest benefit to signing with cv=fail, and since
> you can't count on having a chain (even an invalid one) signing as
> if it were cv=none seems reasonable.
>

It's this, as well as what I outlined in my previous message.


> PS: Once there is a cv=fail seal, there doesn't seem to be any point
> to adding any more seals in later hops.  It's dead, Jim.
>

Absolutely, and the spec very clearly said this prior to the -15 reorg, but
it appears that has disappeared. Fixed.

v2.23.0 | Report a Bug | By Email