IETF Logo Mail Archive

Re: [dmarc-ietf] Some Gmail comments on DMARCbis version 28

Hector Santos <hsantos@isdg.net> Mon, 18 September 2023 19:10 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB20C1519AC for <dmarc@ietfa.amsl.com>; Mon, 18 Sep 2023 12:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="DQvbFsdV"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="eDt6xehW"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SFmwKt_7Hyc0 for <dmarc@ietfa.amsl.com>; Mon, 18 Sep 2023 12:10:29 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA768C151527 for <dmarc@ietf.org>; Mon, 18 Sep 2023 12:10:29 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=13998; t=1695064223; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Subject:Date: Message-Id:To:Organization:List-ID; bh=rVQdN/UF/mX2XFFU71FXFe63D n6HaMgdLsrYO+5FDZA=; b=DQvbFsdVDp3avQXyuddQA5T5/Am0js9SB1JePrwet wFnc0A9axoyO5Q2zmUgXCaipKGcGuzM44/X3Gi3uQNRwjmXf09bTxohcmCLh0E9a 1G7+ch2r7xH4Zj3e/Rr2uL4G4xoBOqc9vARbLijwKEnrQWb1BP2bkDw6GebcQKYY bQ=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Mon, 18 Sep 2023 15:10:23 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 2571864319.1.9124; Mon, 18 Sep 2023 15:10:22 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=13998; t=1695064221; h=Received:Received: From:Subject:Date:Message-Id:To:Organization:List-ID; bh=rVQdN/U F/mX2XFFU71FXFe63Dn6HaMgdLsrYO+5FDZA=; b=eDt6xehW237NKZYTRerozXZ 7UrFycEg3g5a27PKm+H+is2Vm9UVbWXijWTKlmH/SUYvY9rXEe+FQIsuftseIgCv Ev4mytwiqBmCxhegD2eqBlKtG4DJzuYN3B/OmM/MKYd3+NTHRvK773wr89Qq+0se lP2OsQAb8tpzQHsj6KXg=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Mon, 18 Sep 2023 15:10:21 -0400
Received: from smtpclient.apple ([70.230.12.88]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 3017949319.1.16864; Mon, 18 Sep 2023 15:10:20 -0400
From: Hector Santos <hsantos@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_458230AE-0690-48DD-8818-E057749BFFF0"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Mon, 18 Sep 2023 15:10:09 -0400
In-Reply-To: <CAAFsWK0ZFW7a86MpGzug93OdTWOt5Bg0GArJTL4N3k5Pgjmtbg@mail.gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <CAAFsWK1xtj0zCEG-77Ar8G83_F2uQpJPOA5SKzci7T5BHTnNWg@mail.gmail.com> <3958752.RVHoKaEt2R@localhost> <CAAFsWK0ZFW7a86MpGzug93OdTWOt5Bg0GArJTL4N3k5Pgjmtbg@mail.gmail.com>
Message-Id: <AEC86C21-3D9E-488D-9AB4-F47E43DAE972@isdg.net>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
X-Comment: Missing recipient address appended by wcSMTP router.
To: dmarc@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ltOrfc4xRtPycDu40hcA9y4lP1k>
Subject: Re: [dmarc-ietf] Some Gmail comments on DMARCbis version 28
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Sep 2023 19:10:34 -0000

I have been “militantly” against Authorship destruction.  But fast forward to today, I am willing to support it IFF it can be officially sanctioned by the IETF using a well-defined Rewrite protocol for List Systems.

Overall, I believe if the middle ware performs a rewrite due to an author’s restrictive policy, we should consider these technical concepts:

1) Applicable to p=reject or p=quarantine only,
2) A domain rewrite SHOULD match the original domain security.

For example,  for this list,  the IETF list manager rewrites my address:

hsantos@isdg,net

to

hsantos=40isdg.net@dmarc.ietf.org <mailto:hsantos=40isdg.net@dmarc.ietf.org>

I believe any domain transformation should retain the p=reject isdg.net <http://isdg.net/> policy security level.  In this case, p=reject was weaken to p=none with the domain change.

So I can support rewrites iff the domain security can be retained.

All the best,
Hector Santos



> On Sep 14, 2023, at 5:27 PM, Wei Chuang <weihaw=40google.com@dmarc.ietf.org> wrote:
> 
> 
> 
> On Sun, Sep 10, 2023 at 11:34 AM Scott Kitterman <sklist@kitterman.com <mailto:sklist@kitterman.com>> wrote:
>> On Thursday, September 7, 2023 12:28:59 PM EDT Wei Chuang wrote:
>> > We had an opportunity to further review the DMARCbis changes more broadly
>> > within Gmail.  While we don't see any blockers in the language in DMARCbis
>> > version 28
>> > <https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-dmarcbis-28> and
>> > can live with what is there, we wanted to briefly raise some concerns
>> > around some of the changes.  Two points.
>> > 
>> > Regarding the languages in section 8.6 "It is therefore critical that
>> > domains that host users who might post messages to mailing lists SHOULD NOT
>> > publish p=reject.  Domains that choose to publish p=reject SHOULD implement
>> > policies that their users not post to Internet mailing lists", we wanted to
>> > point out that this is impossible to implement.  Many enterprises already
>> > have "p=reject" policies.  Presumably those domains were subject to some
>> > sort of spoofing which is why they went to such a strict policy.  It would
>> > be unreasonable to tell them to stop posting to mailing lists as many
>> > likely already use mailing list services and will want to continue to use
>> > them.  The one thing that makes this tractable is the SHOULD language as we
>> > may choose not to not follow this aspect of the specification.  Our
>> > suggestion is that there is not a lot of value in including this language
>> > in the bis document if the likely outcome is that it will be ignored, and
>> > rather more effort should be placed with a technical solution for interop
>> > with mailing lists.
>> 
>> It might be helpful if you could describe this technical solution from your 
>> perspective.
>> 
>> If there were a reasonable technical solution available, I think this would be 
>> a much easier change to support (in my opinion, and a believe a substantial 
>> number of others, rewriting From is not a reasonable technical solution).
>> 
>> Scott K
> 
> Apologies for the delay in getting back to this. 
> 
> So yes I believe there are two possible technical approaches broadly speaking 1) Support rewriting From and being able to reverse it along with message modifications to recover the original DKIM message hash to validate the original DKIM signature.  2) Create a new message authentication method that is tolerant of message modifications and message forwarding, and supported by DMARC.  From header rewriting would not be necessary in this scenario.  Beyond the complexity of supporting either method, another tricky thing in both cases is supporting an ecosystem with diverse adoption of said technique.  More concrete proposals for 1) and 2) are 1) draft-chuang-mailing-list-modifications <https://datatracker.ietf.org/doc/draft-chuang-mailing-list-modifications/> and 2) draft-chuang-replay-resistant-arc <http://draft-chuang-replay-resistant-arc/>.  And there are other I-Ds out there particularly for the first approach.
> 
> -Wei
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org <mailto:dmarc@ietf.org>
> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email