IETF Logo Mail Archive

Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Seth Blank <seth@sethblank.com> Tue, 15 August 2017 02:59 UTC

Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 905681324AB for <dmarc@ietfa.amsl.com>; Mon, 14 Aug 2017 19:59:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNq4tV65jmIL for <dmarc@ietfa.amsl.com>; Mon, 14 Aug 2017 19:59:39 -0700 (PDT)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A6FE1324A1 for <dmarc@ietf.org>; Mon, 14 Aug 2017 19:59:39 -0700 (PDT)
Received: by mail-ua0-x236.google.com with SMTP id f9so43385751uaf.4 for <dmarc@ietf.org>; Mon, 14 Aug 2017 19:59:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=a236AFJmYMYU0xLBzHwYMSPLkxWN1X63Fc+1Y0THXNE=; b=a1JSyvXcUbHNCPKCf9IydCUieHzm6NVHNjBXE7l2UEI7YnZapu/vZgt+XqUhghzbX6 h0bvWCmZfIEia90VwlaHhooEkec+7vx95iHrzPk/O6cvV02z40IdGl0WW6e606ypyLxC DG8KEUKzzKoOMWTV/rjDs4P4Abuyuv/bibNxPbVquztJaDvgieZlWxYqOjC2nDjsz17q NEedyXGuxDjNCHmSntTQkAy+PoaRzUvMkKjKUvbFhpElZELUUHsFCqQZHAlaKzo5qlVT J+LO/SkYmYS9wsRReiYCqB8A5bxZxi6QwJn7TyWEqNS2ZssoiljkBnP/ye7xyvCpLwUC hZVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=a236AFJmYMYU0xLBzHwYMSPLkxWN1X63Fc+1Y0THXNE=; b=LTiTtDUTIdWUWX+B5moeCTAh79QttbClNJBVk17jfMTCEBR7o1B8ahKrpAta9RIllZ Qc3egq/sBLhF4/zdcaj/QBhaWXbHmsOGWwdquxqLfnxYeMP2pD3u47UIVZuzlYm4txBt NKLyciEmKxA+kft4OW8Lyvc49WHaYyIaajXIQbrWZicW58hM7wm3Y0hp7nFz9m8Dht1P 4hddrOQzTxPkqtlMk7n8dZxFzrANaXKFfgiJhK7fsXvWfk0LNxE1HW+73oKG9FV3SVql dih7ULV21fMtzzY2nwE4lFKnCm58A/+a4Ja4JKaAUPwSPN93bCXkhNRjDhBNhJo5XPtY PNig==
X-Gm-Message-State: AHYfb5jjWA6nb75yVHw4r/jcMvzUQ29P2XGBU+tRSGTTxBceNawLXZoY ctSPqnSarW8fTlnkuHpuxFP59yAiPSY0TbA=
X-Received: by 10.176.74.71 with SMTP id r7mr16105388uae.180.1502765978391; Mon, 14 Aug 2017 19:59:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.151.25 with HTTP; Mon, 14 Aug 2017 19:59:17 -0700 (PDT)
In-Reply-To: <1502760697.1080249.1073516280.7B4109C1@webmail.messagingengine.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <CABa8R6uV=4Cc47zHtZtA-0WFVhuEYPAr3NTswzvF4H21tjfWTw@mail.gmail.com> <1502755921.1067004.1073467336.14612B87@webmail.messagingengine.com> <CAD2i3WMt+FL7J21diBBD_Qw88iGu5-PUhJcp3cGpFdF9qYhTew@mail.gmail.com> <1502760697.1080249.1073516280.7B4109C1@webmail.messagingengine.com>
From: Seth Blank <seth@sethblank.com>
Date: Mon, 14 Aug 2017 19:59:17 -0700
Message-ID: <CAD2i3WN9C8dm=TTVKTWW4NCwXy_Or-zj6uykV0HFTZ=4CBEpdQ@mail.gmail.com>
To: Bron Gondwana <brong@fastmailteam.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="f403045f8f0e53077e0556c1f8b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/mrP1apc52-WA7AhseWvDejb5Bg4>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 02:59:43 -0000

On Mon, Aug 14, 2017 at 6:31 PM, Bron Gondwana <brong@fastmailteam.com>
wrote:

> Do we, though? ARC has NOT ever been about localizing or understanding
> changes to a message, it has been about understanding *actors* who may have
> modified the message.
>
>
> Sure, but knowing which actors may have modified the message and which
> actors definitely didn't modify the message is super useful.
>

We get that with you suggestion above "first AMS failure"


>
> It means that if you trust the next hop, you don't need to trust the
> intermediates that couldn't modified the message without colluding with
> that next hop.
>

That's also how I see it.


> For instance, if we have two ARC-participating hops, and it was a
> non-participating hop between them who modified the message, we could
> localize the breakage to being at or between the two hops, but could not
> with certainty ascribe it to either hop, which is why ARC has avoided this.
>
>
> If you trust hop 2, you can confirm that it was modified since hop 1 (or
> that hop 1 can't form a valid signature).
>
> If you don't trust hop 2, then you don't know anything at all about the
> message before hop 2, regardless of any signatures.
>
> If that isn't clear, then I didn't explain myself very well on our call!
> Unless you trust hop 2, everything before that is meaningless, regardless
> of ARC headers.  An ARC chain through an untrusted hop 2 could be totally
> fiction.
>

Nope, we're in agreement.


> Yes, that makes sense - So long as each AAR includes the signing domain
> that it checked against for its arc=pass, then no information is lost.
>
>
> So much of ARC keeps trace information that might be useful to someone at
> some point, it feels very weird to throw some headers out and keep others.
> I argue we keep them all, and (to the discussion around Experimental
> status) see what ends up being useful after this is in the wild for a bit.
> This data can always be tossed later if it serves no real world purpose.
>
>
> "might be useful to someone at some point" - that kind of wooliness is a
> crock, sorry.  Once crypto doesn't validate it has no meaning if all the
> data is present elsewhere - and everything that an AMS claims except for
> the crypto over the message is duplicated in the next hop's AAR.
>
> If that's not the case, we should fix it so that it is.
>
> "see what ends up being useful after this is in the wild for a bit" makes
> sense for informational records.  It doesn't make sense for cryptographic
> data.  Either the crypto is sound and it means something, or it's actively
> misleading.  A no-longer-validating AMS contains nothing that the next
> hop's AAR doesn't contain.
>

So there have been two years of discussion about this on the list, and the
consensus was that ARC will include trace information - like all
non-originating AARs - because that information might be interesting or
useful to some party at some point. Google has many instances where a
non-originating AAR has the information that matters to them. But the tl;dr
here is simply that the decision was made at its inception to include extra
information that might be helpful later, and that the working group wasn't
open to re-evaluating that decision because the body of ARC was built on
it. If that's the design decision, then we need to be consistent in its
application - which means not throwing out excess data, especially if
someone says "that might be valuable to me."


>
>
>
> I just had a really good chat with Seth on Skype half an hour ago about
> this.  He was unable to find a case where having a full AS,AMS,AAR adds any
> provable value over just checking the most-recent AMS and having AAR
> signed.  I do like your proposal of signing ALL the existing AARs, because
> they're the thing of value.  Old AMS have no value, and old AS have no
> value either so long as you have a cv=pass on the current AS.
>
>
> That's not quite what I said ;-)
>
>
> OK, did I misunderstand?
>
> You couldn't quote a case where AS,AMS,AAR adds provable value over an AMS
> that signs the most recent AAR.  If you can find that case, I will eat all
> my words, because I've spent a lot of time thinking through the cases.
>
> I agree with what Brandon seemed to be saying above - that it should be
> all the AAR being signed, not just the top one.  Otherwise an intermediate
> could strip or modify earlier AAR without breaking the authentication, and
> that would be bad.  Each AAR contains real, valuable, meaningful data.
>

I said the AS forces anyone who modified the chain to sign. In the obvious
"all trusted" and "clearly untrusted" signers cases, the AS doesn't seem to
add much value. But if a bad actor finds a way to send a chain through a
good intermediary, then not having an AS would allow this message to be
delivered. This is an edge case, and maybe doesn't matter - but the AS
certainly protects against it.

The spec already covers all AARs by the AS.


>
> As far as I see, we're quibbling over how much cryptographic
> infrastructure is needed to maintain the integrity of the chain of AAR
> headers.
>
> If you throw old AMSs out, you cannot validate current ASs or walk the
> chain back.
>
>
> So what.  AS is bunk.
>
> A current AMS over all AAR gives the same auditability, since AAR is the
> only thing that has meaning.  AMS only has meaning while it still
> validates, and AS only has meaning because it ties AMS and AAR together.
> Those meanings don't add value.  None of them mean jack once you've been
> through an untrusted site, all previous headers are suspect regardless of
> whether they have crypto that still validates, unless that crypto covers
> facts about the message which we actually care about.
>

I thought our discussion ended with the AS adding an extra layer that was
benign at worst, and protected against future unknown attacks at best. And
your concern was the overhead of evaluating the AS on DNS, especially for
long chains. I thought where we ended was your suggestion that the spec
only requiring validation of the latest AS and AMS, and implementations MAY
validate all AS's if they wish.

If this is the case, then we can't throw out any AMS because none of the
ASs would validate any longer.


>
> I'll suggest language for stamping "first AMS failure", but we shouldn't
> strip old AMS/AS headers.
>
>
> This is where we disagree.  We shouldn't create AS headers in the first
> place.
>

This is 180 degrees from where we left off on the call.


> We should have AMS sign all the AAR and that's it.  No AS, no need to
> retain broken AMS.
>
> It gets you all the same machine readable chain of custody as AS+AMS+AAR
> in the unbroken case, and it breaks at the same place with the same
> detectability in the fraudulent-actor case.
>

I'll let someone who's more familiar with where ARC started from - my
understanding was that ARC stemmed from something similar to AMS+AAR being
insufficient, but I don't have enough context here to provide meaningful
insight.

Seth

There are no other cases.  There's no middle here.
>
> Please do prove me wrong if you can think of another case, I really can't.
>
> Bron.
>
> --
>   Bron Gondwana, CEO, FastMail Pty Ltd
>   brong@fastmailteam.com
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>

v2.23.0 | Report a Bug | By Email