[dmarc-ietf] Not knowing the organization domain causes chaos
Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 24 April 2023 10:41 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E220C151533 for <dmarc@ietfa.amsl.com>; Mon, 24 Apr 2023 03:41:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJuXiqE6ZGlL for <dmarc@ietfa.amsl.com>; Mon, 24 Apr 2023 03:41:15 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4D15C14CF1C for <dmarc@ietf.org>; Mon, 24 Apr 2023 03:41:15 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2a8eb8db083so39832421fa.3 for <dmarc@ietf.org>; Mon, 24 Apr 2023 03:41:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682332873; x=1684924873; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=HbsJAlWcgzop6tHHYu7b2xXYVfff1cPq/jXatJWQoHk=; b=WHEUiQ6Rnz1QJT1i3pKJ3BUvJ4eNiP6BesVNAU0V6EGDEmr+Lg6YbhG0XSRmptLnaS VC9XlwbCt4GstsXNFK/TyCWYS2A8/iGWWRvk2Dkw0qTUTF9pALrvG3r7+WpN6DNvypXp BmKjNMOlOkTn8s2y4hW0CuPKSAId8/kxdMs81zwhsOmlljxj1VHh4ylff6wPFrt7SP+y VQ1Iv3rpJXgD/kdCPBuUTnCu62pJ3Bzzo0MNsxg1Riu04iyq40/FWe9Gzc0Hv1/mZg9b y54BF8HtR37EyhT68ObCorImIMeFtGi6aPLRy73wKMRXI1qeDwjqA3rG1E+rvUK+kj+f /ajA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682332873; x=1684924873; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=HbsJAlWcgzop6tHHYu7b2xXYVfff1cPq/jXatJWQoHk=; b=j/kOzOMnX0+03aoHuFnKbA5HluBXzD3UkkzjwuTo+2aG25j74H+S4Hz1mZTiHH0gTd oo/hfOlNsp6Tbi30hsU0PBGyjXfgopn7Fa6/L5TrS3hEBRpj8MN0o8fTjo9rIk0W0fKz N3XfkbrP82Ux0ximaaJKErbopv85WJknoVkg7OMpffMdAS+5PglYy5SqljPiSWhv8Gm2 m4D1cXNv4bb85BvJ3thjYnF2jmi/C9+rjoy0iczSDCCGTQ/IZGSPamxWLNWDTt76XP0o qC38HOeXA0Ih9QJXHKU+1k1RU0ZcnmrnbhT9BdVBhdw+G9syJ4c3TK0PICQqMRloxwdM kYew==
X-Gm-Message-State: AAQBX9cMlckXP7BMrul9K4FnrNByB+8JAiboUmcX4jqqno3SIXMzfb4Q 5cV9BEk0CMn5jPmlkcILjIelXkPI0SZ+YxEoeGnKcAS/
X-Google-Smtp-Source: AKy350bkduW/fCTk5rz+sNKjCuZPqBbZKOVUhOVNQSu7scDY//8cpA2SCIQKIPl2LvFq1OwpmdaVGWBV6bfNIJFKyK0=
X-Received: by 2002:a2e:868e:0:b0:2a8:d103:dc8 with SMTP id l14-20020a2e868e000000b002a8d1030dc8mr2490569lji.2.1682332873025; Mon, 24 Apr 2023 03:41:13 -0700 (PDT)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 24 Apr 2023 06:41:02 -0400
Message-ID: <CAH48ZfzWoA=LGWyg-=HB4AdRgAOB2GkmQh1ZvWpNOdhsiNv9Xw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004a6dbd05fa12a59b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/n3eNIULAHcKnyWfi9H7qr4MoHBo>
Subject: [dmarc-ietf] Not knowing the organization domain causes chaos
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2023 10:41:16 -0000
The only justification for dropping the PSD would be to put the domain owner in control of his organizational boundary. This requires: - The ability for the evaluator to determine whether the domain owner designed his data on RFC 7489 or on DMARCbis. - The ability for the domain owner to define organizational boundaries anywhere he desires, so that the monolithic organization assumed by RFC7489 can be broken into sub-organizations as appropriate to the domain. - The ability for the evaluator to know that the organization definition cannot be manipulated to create false authentication based on false sibling domain alignment. We have failed in this endeavor, and the currently proposed DMARCbis will create evaluation chaos. Evaluators will not know which algorithm to use for correct interpretation of DMARC data, and domain owners will not know which algorithm will be used by evaluators. We could not have done worse if we had tried. A serious attempt to define a usable DMARCbis requires: - A definition of "private registry" and its impact on DMARC trust. - Tagging of all DMARC policy data to indicate whether it is designed for RFC 7489 or DMARCbis. - Tagging of all DMARC policy data to indicate whether it implies an organization top, organization middle, organizational bottom, or organization top-and-bottom. - Documentation of the unnecessary risks created by sibling alignment, most likely to include phase-out. - Controls to prevent a malicious domain owner from asserting that his registry parent is part of the same organization, for the purpose of impersonating a sibling or parent domain. We should also drive DMARC toward strict alignment. Because of the overhead and the risk of organizational boundary detection, we should state that all DMARC-compliant messages should be signed, and the signature should provide strict alignment. Looser definitions are used to cope with the abundance of messages that are not DMARC-compliant but must be accepted. DMARC-compliant messages should not need alignment guesswork. Doug
- [dmarc-ietf] Not knowing the organization domain … Douglas Foster