IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Bron Gondwana <brong@fastmailteam.com> Sat, 28 July 2018 02:39 UTC

Return-Path: <brong@fastmailteam.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE974130E32 for <dmarc@ietfa.amsl.com>; Fri, 27 Jul 2018 19:39:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=Ow7dOIah; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ilGCrRUc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kdF9YoB9SC6f for <dmarc@ietfa.amsl.com>; Fri, 27 Jul 2018 19:39:13 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC48D12F1A5 for <dmarc@ietf.org>; Fri, 27 Jul 2018 19:39:13 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id E5BA071D for <dmarc@ietf.org>; Fri, 27 Jul 2018 22:39:12 -0400 (EDT)
Received: from web2 ([10.202.2.212]) by compute6.internal (MEProxy); Fri, 27 Jul 2018 22:39:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=content-transfer-encoding:content-type:date :from:in-reply-to:message-id:mime-version:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=mV/1NV5EIRLceyUUc RfDGIr0xK7PHbsgsLPntTiuuu0=; b=Ow7dOIahqsyBkdXTQ58uDhPmixk5Dc651 6R48+dx6PPpD0baSV99fpisKE4ziFlAAuK7Pk/omPskhfXB9dszcy9v5Mdpmhlqw +oRHnSs6AxT4kGXx/hJg6Kxcn8WmCvCJQXRN+HMxswKk0oDHblplkgUgWGj5iwgI LTF/8ps4Z921GIWCi16sTY/ZpAAAXdP/PuRV/XEX+QA/gjb/zMBvP5zMTyaRQ0Xi 4L5JYM/CiJ13l0TgCZZsQtxDdfVLmBtRgdaXPkpSa85xVf0I1aAp4NnnDlTyyBtN 2XPnuvDhLzjVJDkvhfFN1Lxjg/UfFc4pxcJFdVTywcUohhV3z7LzA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=mV/1NV 5EIRLceyUUcRfDGIr0xK7PHbsgsLPntTiuuu0=; b=ilGCrRUcxCPz9feg7qR88h RnjOJGK5YGkH30uQkctTtVzkwPAbZMWlARRmv+Xe0knwCTwruWjIPIyIegf/C+Hi 8vnyjdGPi/1vm8zaFRzJCcaxetfDrU9b+MZoetxWfVFhLsGY3/sLQgen5jhHxLXR zNPLQKSsN5uwJQZdcDLy4JuLcGJTbD2DNbKaqK3l/lvK9SQDc9Qx23vULnoCUaz6 +5nSExnY6iic9e7ZQWSfhl94WUnyRceppQsreWrf36/5bSb4tdwDcr81Xw7XbNHJ dEVCdCwGsfu7bE3qOlGZlQbnXflJ8bi0fs61bFEk1Frmc3Raj1qvSMryJFCLmx9A ==
X-ME-Proxy: <xmx:UNdbWzU5yEO81D6-O8wAdYxd7w_kiW573K2735_X6MOONqg-aNHNbA> <xmx:UNdbW939T3EuX3nVBtiZw4FX-KGrspnVuFPPT1xs5d6SKEk4CN9ZWg> <xmx:UNdbWxqBI7atvZMfW7sAKKpw3oO2vyVM7lGFxPS3O6zPJy7rSztFig> <xmx:UNdbW0XCwpHfpJgwl9FPugt0Iqr4UCFBXnDE13atO-ZONDMKHYOkjQ> <xmx:UNdbW8aJxz-nmKOf-q9tevsuPmES_piHMJfv2AfwU9Vorqy80thShA> <xmx:UNdbW0X6A2nMGwmUvDrYWlHz280T-Eju5uq3BlQEMwCgCCdZBosXTw>
X-ME-Sender: <xms:UNdbW6cal8VHMqaxqvNaFhtpGX26swbIOBl7YifHN0GmuOF4Qg0MnA>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 024B8621CB; Fri, 27 Jul 2018 22:39:11 -0400 (EDT)
Message-Id: <1532745551.208119.1455489824.75DFC005@webmail.messagingengine.com>
From: Bron Gondwana <brong@fastmailteam.com>
To: dmarc@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_15327455512081192"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-0843ff3e
In-Reply-To: <CAD2i3WM99Yy6Y=BQE4dC=Ffm7J32My160Xdm2oxXC50Au9tXoA@mail.gmail.com>
References: <CAD2i3WMMJPaZYonS-qcz8pwOKYmS2Xe+8WBZPuAqjiGoYePzSg@mail.gmail.com> <CAL0qLwapyX3U=0OqQWzx+dDELn3W0v=N_HyzDnSw49oWQ+SE5Q@mail.gmail.com> <CAD2i3WN90JSS8pzgRxrbokuKmhZaLUrimYRWqkZwzVDBxTczng@mail.gmail.com> <CAL0qLwZ_uPh5iPkS7MKzDp3x=dAgn-hmsEunccDc3Hj2bsphpQ@mail.gmail.com> <CAD2i3WM99Yy6Y=BQE4dC=Ffm7J32My160Xdm2oxXC50Au9tXoA@mail.gmail.com>
Date: Sat, 28 Jul 2018 12:39:11 +1000
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/l5TA3i2I_S3BBeEfXU7MO6X13Ec>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jul 2018 02:39:16 -0000

On Sat, Jul 28, 2018, at 03:29, Seth Blank wrote:
> On Fri, Jul 27, 2018 at 10:21 AM, Murray S. Kucherawy
> <superuser@gmail.com> wrote:>> On Fri, Jul 27, 2018 at 8:35 AM, Seth Blank
>> <seth@sethblank.com> wrote:>> 
>>> The verification algorithm is straightforward. If you receive a
>>> chain that ends with cv=fail stop your evaluation, you’re done.
>>> There’s no separate validation path here.>> 
>> 
>> Then why bother signing anything when you affix "cv=fail"?
> 
> Because adding your ARC Seal over the chain guarantees that the
> receiver has a complete list of everyone who modified the message up
> until the failure.
No, this is wrong.  I have detailed why this is wrong many times.  A
single cv=fail means that there's no proof that the entire previous
chain isn't just a valid set of ARC headers picked up from somewhere
else with the serial numbers filed off and the entire message replaced
with something else.
The only thing your ARC Seal will validate is your own ARC-Authentication-
Results header - which isn't nothing (it could contain the IP address
that you received this message from) - but if SPF / DKIM and ARC are
all fails in your Authentication-Results, any earlier ARC and DKIM
headers have no provable causal relationship with the rest of the
message you received.
Bron.

--
  Bron Gondwana, CEO, FastMail Pty Ltd
  brong@fastmailteam.com

v2.23.0 | Report a Bug | By Email