IETF Logo Mail Archive

Re: [dmarc-ietf] ARC questions

Brandon Long <blong@google.com> Mon, 23 November 2020 20:15 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0823A0AAF for <dmarc@ietfa.amsl.com>; Mon, 23 Nov 2020 12:15:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.699
X-Spam-Level:
X-Spam-Status: No, score=-15.699 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f82TM1KjFBjV for <dmarc@ietfa.amsl.com>; Mon, 23 Nov 2020 12:15:30 -0800 (PST)
Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AB943A09FF for <dmarc@ietf.org>; Mon, 23 Nov 2020 12:15:30 -0800 (PST)
Received: by mail-vs1-xe33.google.com with SMTP id u24so9808257vsl.9 for <dmarc@ietf.org>; Mon, 23 Nov 2020 12:15:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=izqBJUV7YSeRJTShUKa13BLKOI5uYFlqS8TxPSQpWS0=; b=SpT+qFzcZ+Z2ZzMgfYaUt9sVf5tTx99ETG7Ugt0njFmhRt2Lh5wgtpFa6CaiLmluJe dC/ASWo7UoU1QrKFwR4xOcn7KTiMmUU8YkpGnKSpSsll3Jo+ZnSVOh5k9nDwa4Sh21gm aI/Gl4kq114sZhUixzrWIPYiyujIgax5aOtK/0I1FgKbs/9ec5DUlmPJ9nJ/Dp3X3xb7 XyXCT8o+tCL4n+vIGkmudyPR+wkYKLcarrD7F0E1BXbp2ss/5pLOIkIOZE/3BreCDEX6 QNEjCK9IpnL9uTynt4PE2T6fvfHBIx2uRCs8F9E8NvJDyhOJvc75UgwXo/rRzs/gM6eT P0HQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=izqBJUV7YSeRJTShUKa13BLKOI5uYFlqS8TxPSQpWS0=; b=SiqoE9Sn3U102eFB94f5YhrtyXkvvOolytTOOcs5dKpst5ZnzNLtq+YWavYV0ACqZg 2tbW+2fEzGpONKKzZaSrlmfwRjWEUl1O5B/gJywjUmoRGUkNqb2oyA+VmyNB7ivG+9S1 o3AatJOIcUCqs38I4LbD0ytil9fl67jcioo2NaKKfXTFdMmegwGdztxePPiMIuOPF02m 2ffUETwUUvqSQ/412777BFoi6khTYb/HMc3qit8RSnNqAkuswzYB0rrfJp1VPgUbuWWf Fg0RPvng7+Nh2KroYI0HOscJo2VdcftpEgrx6Ue0dziFq+BxMMEuar5AK1s/UWbiFAH1 eYuA==
X-Gm-Message-State: AOAM533HbDlPfrV0SgSrnY2py8LGI7pd5KjXKIsMJQAXSZA2DY4MCZ5I pcShIAbSQpRFGetx0Zn4mZPB7alEnKYm9DP4uL0E
X-Google-Smtp-Source: ABdhPJwx0BiJ7rPHtSIyRI4O0bjAbw/ZOuriM+F2sGsE6LKm+4N3L59Hkz7xAeD5N7TVrecIrH2pVjkZTsOyWU46L3w=
X-Received: by 2002:a67:df8b:: with SMTP id x11mr1536798vsk.37.1606162528960; Mon, 23 Nov 2020 12:15:28 -0800 (PST)
MIME-Version: 1.0
References: <dcc265f9-a143-5093-eba0-94ee059c7cc7@mtcc.com> <20201122021417.B5E6E27B3E59@ary.qy> <CABuGu1pX=5ZC4RLsv19qrosRN9nCrPdeSk5Xg4O7ViEZit6dnA@mail.gmail.com> <453c4db4-fc62-dc76-5b15-707623d66f9f@mtcc.com> <64f18b-ae8-8c15-3d33-ff2d864c35bc@taugh.com> <884541e6-5076-7f8f-d1d2-d68ea9c5a2bc@mtcc.com> <CABa8R6u_K=KEQv3vmkVwEuYon350NEkd62eOovhq+gv9wonSnA@mail.gmail.com> <f28b76e5-2855-985e-ece5-960aa68e2846@dcrocker.net> <CABa8R6s+CoKv69g+Csu83e+vMac83rm85cFJXE09_H6TiYJB6Q@mail.gmail.com> <40aa3391-84fb-bd2d-92ab-e268c674d4a4@gmail.com>
In-Reply-To: <40aa3391-84fb-bd2d-92ab-e268c674d4a4@gmail.com>
From: Brandon Long <blong@google.com>
Date: Mon, 23 Nov 2020 12:15:15 -0800
Message-ID: <CABa8R6u42VOJQDoUpdTC_8nAmEE3m0Y+D4xMFyCAaTRfyLj39w@mail.gmail.com>
To: Dave Crocker <dcrocker@gmail.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fe016005b4cbda9e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ltMeNb66GpOmSRj1UkouJPj-kjI>
Subject: Re: [dmarc-ietf] ARC questions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 20:15:32 -0000

On Mon, Nov 23, 2020 at 11:53 AM Dave Crocker <dcrocker@gmail.com> wrote:

> On 11/23/2020 11:42 AM, Brandon Long wrote:
> >
> >
> > On Mon, Nov 23, 2020 at 11:34 AM Dave Crocker <dhc@dcrocker.net
> > <mailto:dhc@dcrocker.net>> wrote:
> >
> >     On 11/23/2020 11:29 AM, Brandon Long wrote:
> >      > The DKIM-Signature is an "ownership" thing, it's a message
> >     originator
> >      > that is saying
> >      > "associate this message to me".
> >
> >     That is not DKIM's semantics:
> >
> >          "DomainKeys Identified Mail (DKIM) permits a person, role, or
> >          organization to claim some responsibility for a message by
> >          associating a domain name"
> >
> >     This says nothing about whether the organization has anything to do
> >     with
> >     origination.
> >
> >     There is nothing to prohibit or preclude handling agents other than
> the
> >     originator from signing.
> >
> >
> > Yes, of course, a handling agent can do it, but there are plenty of
> reasons
> > why they shouldn't.
>
> Please enumerate and explain.  If it's that dangerous, we should
> document it, especially I don't recall that constraint being in any of
> the design or standardization discussions.
>

DKIM often ties a domain to reputation and other anti-spam features.  If you
forward spam to another host and sign it while forwarding, then the other
host
will think you send spam.

DMARC ties DKIM to the From header and at least is interpreted as being an
anti-phishing feature.  DKIM signing mail that you forward could mean
upgrading
a phishing message to passing DMARC.

This recent article also goes into things that DKIM signatures imply:
https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/

Perhaps this all means that DKIM has been used for more than it was
intended for.


> >      > Intermediaries don't want to take ownership of the message in that
> >      > sense, though there
> >      > are some mailing lists that do.
> >
> >     Signing with DKIM does not take 'ownership'.
> >
> >
> > Yes, responsibility is the proper word.  My point survives the word
> change.
>
> I disagree.
>
>
> > DKIM says the domain takes responsibility for the message, while ARC says
> > the domain takes responsibility for evaluating the status of the message
> > when
> > they received and forwarded it.
>
> This implies that the word 'some' is irrelevant.  It isn't.  And it was
> included intentionally.
>

Automated systems can't really tell how much responsibility an intermediary
was
intending to take for the message.  OTOH, they typically are using it only
for a certain
purpose, so they assume that the intermediary took responsibility in the
sense that they
want... or rather, the people who wrote the code do.  Or the journalist
writing the story.

ARC was specified to have a more specific responsibility, and as different
from DKIM so
that it wasn't mistaken for the uses that people were already using DKIM
for.

Brandon

v2.23.0 | Report a Bug | By Email