IETF Logo Mail Archive

Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations

Dotzero <dotzero@gmail.com> Mon, 20 July 2020 12:32 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF793A08CB for <dmarc@ietfa.amsl.com>; Mon, 20 Jul 2020 05:32:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_VsGqMggJXZ for <dmarc@ietfa.amsl.com>; Mon, 20 Jul 2020 05:32:11 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D9783A096D for <dmarc@ietf.org>; Mon, 20 Jul 2020 05:32:04 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id 22so22104339wmg.1 for <dmarc@ietf.org>; Mon, 20 Jul 2020 05:32:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=o5wZygNmGVfbWmAn3Acep7nnymHcbJkUfOgdejmr1rM=; b=UHQAS11jmRd+LntZpWqoyafuQomZNyiuV3Zz53gjHBDlKq8a+ObT9ktXmGc8GzQ3od AHLiOXphmsh9SEr1AKtH0LgYc8qNnJu2yU1dy1OZq1CS3CBkfNDn+8Sg7uvLcZ/pEjLP rSFZroZueeCRUAl5LnYi05c5ozvZpqLKQLe+LVrWPDantQ9WrOfXb8RL9ds0Gm1PHtOa h9nDkbQpBUIV7PdoONQR322oA6L4YdZOV/j3vah8+C7KtLleWUBSDXUeBatnXsDMmfMd Csk9YcPZHVVq4qLwQG88wuIlTICIxRUpvQzB4sJTsNaO0Rdl2o0Ngi03amaZnUm/pa1+ tnCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=o5wZygNmGVfbWmAn3Acep7nnymHcbJkUfOgdejmr1rM=; b=fak/AdhaEOSQcWA9CjBp5CdjTNbt3RgKxPTRQhanwZL0+mmZGkVwmfpVH9s8d9r0KA KRjUD+GhKKU2AcPXtdvzITOQQ4XOvkAoLLlDtpjQ89ns6qNytt6ZZuBLvenamwOhbwPl /beP3EKg9SwZdYTaCZK4U0ebAQ+sxFCqVmIaGKz4zp4U+lnDSBO2TlE76/AIcOz3USF5 q7iyuA7gEx47a1Q+P8LtnibcEmG8cssGiT6AH/KXs5bsud8EKmD2ZxFWxQ6UQalWbRVY 5cIUjp1J1Y7G+TTwszET0AIwi9rC0FBY10nsTFTu6gyjc9NApisufbMEob/51h0XF+Rl lEFQ==
X-Gm-Message-State: AOAM531Grv3WDkqPWtk/1km17HPZ8vNsQJ/Yap2v71bSdfWyVO+O3rh9 Jos1uHr8esnfeRfc5G6aknxo8wsIgay3uA4o2+W96w==
X-Google-Smtp-Source: ABdhPJwrOmquX4CIhDQJ5CFRLuLRqar1s0gCGaN6daSGjiTHX5fk8TOQuEvEbX7fcQ0znBCnyNBB4BfZ87oWIKBkFzk=
X-Received: by 2002:a1c:6408:: with SMTP id y8mr20812375wmb.122.1595248322512; Mon, 20 Jul 2020 05:32:02 -0700 (PDT)
MIME-Version: 1.0
References: <bf5b68c74a3c487ca8a07a0a27061e47@com> <87zh7ur069.fsf@orion.amorsen.dk>
In-Reply-To: <87zh7ur069.fsf@orion.amorsen.dk>
From: Dotzero <dotzero@gmail.com>
Date: Mon, 20 Jul 2020 08:31:51 -0400
Message-ID: <CAJ4XoYdF8zi1Bqu0FqnW-R6Q67b4bYfFK+CbV=9HzF42A0L-LQ@mail.gmail.com>
To: Benny Lyne Amorsen <benny+usenet@amorsen.dk>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000978b4e05aadeb17d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/mlEf0aFIKmn_1lhEYobnlkrrMGc>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2020 12:32:13 -0000

On Mon, Jul 20, 2020 at 5:44 AM Benny Lyne Amorsen <benny+usenet@amorsen.dk>
wrote:

> "Douglas E. Foster" <fosterd@bayviewphysicians.com> writes:
>
> > Ultimately, this becomes a question of power.  Do domain owners have
> > the right, with the help of their correspondents, to prohibit spoofing
> > (unauthorized use) of their digital identity?
>
> Domain owners are free to use the court system to assert trademark
> rights and copyright. They are also free to apply whichever seals of
> digital identity that they want, of course.
>
> > Or since they are technically leaseholders, not owners, are their
> > rights conditional?
>
> You seem to be laboring under the impression that domain owners have a
> right to compel mail recipients to respect a DRM scheme. This is not the
> case. You can try to sue Google to force them to reject incoming email
> with your domain in the From: field and no valid DKIM (or whatever)
> signature, of course, but I have a hard time imagining which right you
> would assert to make the suit successful.
>
>
DMARC clearly recognizes and documents local policy.


> > Specificslly, do Internet insiders have the right to declare their
> > spoofing control efforts to be based on foolish premises, both
> > unnecessary and inconvenient, and therefore not allowed?
>
> No one, certainly not "Internet insiders" of which I am certainly not
> one, is stopping you from doing whichever spoofing control efforts you
> want on your systems.
>

One might point to the fact that DMARC was just such an effort before it
was publicly published. While there was much criticism of this when it was
submitted to the IETF - "You just want us to rubber stamp this" -  there
was no such intent. It had worked well within the group of senders and
receivers implementing it through private peering that the effort was made
so that any domain of any size, both senders and receivers, could
implement it if so desired. I think the adoption rate in the wild speaks
for itself (volume of mail covered by DMARC).

>
> Feel free to keep p=reject on your domains. Many mail servers will keep
> using that as a signal among many others, rather than as a blanket
> reject.
>
> If you want recipient mail servers to change that policy you can either
> do it by convincing their administrators or by getting a law passed. So
> far you appear to favour the latter approach, with your focus on
> "prohibit" "unauthorized use" and "rights". The IETF is not a lawmaking
> body, so it appears there are better venues for you.
>

You have left out one significant way of convincing receiver domains and
their admins. We used to have our CSRs (customer service) tell people who
received spoof emails (resulting in phishing, malware compromise, etc.)
from emails claiming to be from our domains that they should contact their
mail provider or email admin because the problem could have been avoided if
DMARC were being checked. We would even provide them with the details and a
form with all the information in non-technical terms. It is amazing how
quickly a provider pays attention when their customers/users are
complaining to them that the provider could have prevented the heartache
and grief but chose not to. Again, this was for domains sending
transactional mail with only a limited number (intentionally) of role and
support accounts.

While IETF is not a lawmaking body, it has an impact on the decisions of
lawmaking bodies just as the decisions of lawmaking bodies can impact the
implementation of standards. One need only look at the "great firewall of
China" as one example.

Michael Hammer

v2.46.0 | Report a Bug | By Email | System Status