IETF Logo Mail Archive

Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion

"Stan Kalisch" <stan@glyphein.mailforce.net> Fri, 31 May 2019 17:34 UTC

Return-Path: <stan@glyphein.mailforce.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8289120346 for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 10:34:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mailforce.net header.b=KYQoO4a6; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=6ZuuBwQg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mKwWG2lar9qq for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 10:34:20 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69DF7120352 for <dmarc@ietf.org>; Fri, 31 May 2019 10:34:12 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 7DD0D210DC; Fri, 31 May 2019 13:34:11 -0400 (EDT)
Received: from imap6 ([10.202.2.56]) by compute7.internal (MEProxy); Fri, 31 May 2019 13:34:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mailforce.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm3; bh=5Uy8CtT8YVxeGMQuUfSZys/T0I7d h4Mr28YVLfIUy3o=; b=KYQoO4a6n5vilEbbYDr3494T9CgVzTeV3udrkQdbjFH2 Q9gjMSwpkZuN/nRl2nTZhdO8u00gi71JF51aV1+Y8zwzMbwreRfS2hZ2MnCsSmF7 XPAdbKKZrOHCZAWYE6wzvCbRsu0tvwKH5v4k4JfV5ciffeqqZp5i0pO241cTnEsT xh63WWKzfuvd+RR611dcXbWNGKYcGrbt0xpq46h7wTWSHFWSFCTmOUUEbAb15VJ8 Rq5/dUYlYPZsmf0FN3ohWbaOyY3N4G6ojlM47j41GMNOb9Db7w5YWDMDf+SrvYFu 3m8DtxYvnTOBEEy5cZH9+fbTIBQm7pwLaFVq8IohAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=5Uy8Ct T8YVxeGMQuUfSZys/T0I7dh4Mr28YVLfIUy3o=; b=6ZuuBwQgUbAEDEW3AsM1U+ BeCWQqQHD7vSsVuMmFCZgos2sRCWQWw1H4oC2WidWh14hPD7EyVl7FCGHDYq1s9Z M7Z60itwn8SGc1ex6swFUdTDYku2s3E6DzBaB8/vKUHsJ6MlMG/kqQeJ78esIUqB Tpz9b+T7RpO8MRQyr+u1xf/QU9o60Y3ab44oP/7R2B/xvOxCXlq2r1yaeHcMe8xm 54VKqvvHWpmkmfpz/V/Z6zh7p68i1p4pSe5ivrl3g4XRmYK3+F/BI8NDuCqQRLMx /uc6MrV7YkGGeGX6CGJFWHUs415Vt560YV36kiEF8xKQ1LJ1LK+5ktvtlTh8wH6w ==
X-ME-Sender: <xms:kmXxXNJlrUspFgXE6Ps320UROg8PWkLJ5EkirDpoUky0r7ESNO81lg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrudefuddguddukecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefofgggkfgjfhffhffvufgtsegrtderreerredtnecuhfhrohhmpedfufht rghnucfmrghlihhstghhfdcuoehsthgrnhesghhlhihphhgvihhnrdhmrghilhhfohhrtg gvrdhnvghtqeenucffohhmrghinhepihgvthhfrdhorhhgpdgssghifidrnhgvthenucfr rghrrghmpehmrghilhhfrhhomhepshhtrghnsehglhihphhhvghinhdrmhgrihhlfhhorh gtvgdrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:kmXxXGzBhknvLD1QNjxdJql5EzaUsmsfnT69Xg9PyVSost6SroC_cg> <xmx:kmXxXNH07yZ1tJNNIII72U6N_QTcFTGMgtuU4BdfqJ6HGXaththf7Q> <xmx:kmXxXGnP8uqrg8YgeKNfmzoaJuSnqecpOddndMl9ulU7uSbeDh7x6A> <xmx:k2XxXCnhurkoRx7RqpwCLWizfEEjL4FGgRs7E1N8PreHTjQJsUG73g>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id BE70B1400A0; Fri, 31 May 2019 13:34:10 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-555-g49357e1-fmstable-20190528v2
Mime-Version: 1.0
Message-Id: <5f121135-7ae9-4219-aacf-fac253ecad08@www.fastmail.com>
In-Reply-To: <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
References: <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> <20190526144848.08A772014A0BF4@ary.qy> <CAL0qLwbxwLTpgYJN9qBTzi2oN1EMvAYuNoDbw5Rx5W46-WNyLA@mail.gmail.com> <alpine.OSX.2.21.9999.1905301712140.76792@ary.qy> <c559a331d90b49eba5b5f6e35ff4774a@bayviewphysicians.com> <1931a4e4-7112-56ae-24e6-b138466392b4@dcrocker.net> <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
Date: Fri, 31 May 2019 13:34:08 -0400
From: Stan Kalisch <stan@glyphein.mailforce.net>
To: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="55f07ef4e38d4018ac744db198136f97"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/nSwx-sK8K9up-N0Y0-5YG--DZkQ>
Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 17:34:24 -0000

On Fri, May 31, 2019, at 6:59 AM, Douglas E. Foster wrote:
> I cannot speak to IETF consensus, since I am new to that process and I seem to be an outlier already.
> 
> Agency and signatures are well understood legal concepts. 3000 years ago, people sealed their letters with a signet ring stamped in warm clay. Signing technologies have changed in that time, but the principle has not.

It would probably behoove you not to lecture experts in Internet messaging about 3000 years of history on a public mailing list. I'm just saying.


Thanks,
Stan

> 
> A courier is responsible for keeping the signed and sealed part of a message unaltered. Envelope marks are acceptable.
> 
> A digital signature is supposed to provide non-repudiation. If I submit a signed message to a list processor, and the list processor voids the signature, it has given me verifiable repudiation, the opposite of what either sender or receiver want. 
> 
> A closed group on a single server can use whatever rules they choose to implement in that community. For example, a web forum operates on the rules of the forum operator. However, an open group using the email infrastructure has to work within the infrastructure it uses. In the email infrastructure, the recipient has to deal with fraud, and any recipient accommodation to "harmless" fraud facilitates the people who are doing "harmful" fraud to that recipient.
> 
> There are some obvious use-cases for MTA changes to a message, and we would do well to document and address them.
> 
> The first that comes to mind is MTA comment fields.
> - A list processor wants to add a comment indicating something about the list that sent it.
> - A spam filter wants to add a tag indicating that the message is suspicious, but not sufficiently suspicious to be blocked.
> 
> IETF would do well to specify a mechanism for MTAs to add information which MUAs present to the user, while identifiying that that the information came from the MTA rather than the original sender.
> 
> Another use-case is related to body sections. IETF only forwards plain text, while most email solutions send messages in HTML+Text. I assume that IETF also drops attachments. DKIM cannot handle this because it hashes the entire body. A signature system that signed each section individually would allow sections to be dropped, with notification to the user, without breaking the signatures on the other MIME types.
> 
> DKIM was supposed to provide sender authentication when SPF was invalidated by forwarding, so DMARC said that the two techniques should be evaluated together. I am realizing that if SPF is invalidated, DKIM is probably invalidated as well, so we have no usable sender authentication technology. This may explain why so many products that I have examined lack support for DMARC or lack good exception mechanisms for SPF, DKIM, and DMARC.
> 
> It seems that email needs something like "DNS Flag Day", where major players announce a date after which certain behaviors that will no longer be tolerated. But as others have said, IETF is not that organization, and the organization may not exist.
> 
> More discouraged than ever,
> 
> Doug Foster
> 
> 
> 
> 
> 
> 
> 
> 
> 
> *From*: "Dave Crocker" <dhc@dcrocker.net>
> *Sent*: Friday, May 31, 2019 12:41 AM
> *To*: fosterd@bayviewphysicians.com
> *Cc*: "IETF DMARC WG" <dmarc@ietf.org>
> *Subject*: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion 
> 
> On 5/30/2019 7:49 PM, Douglas E. Foster wrote:
>  > I rather hoped that IETF would be the poster-boy for list processing
>  > done correctly.
> 
>  "Correctly"?
> 
>  A message to a list is 'delivered' to the list. As in, it goes to the
>  specified addresse... the list. A message from a list has been
>  re-posted by the list.
> 
>  There are no constraints on the changes that are permitted to a message,
>  before it is re-posted. There are no specifications that limit or
>  direct the behaviors of a list processor.
> 
>  Different groups want and probably need different behaviors by a list
>  processor. Periodic efforts to create such constraints have failed.
> 
>  So while it would certainly make things easier to have list processors
>  behave in a simple, consistent manner, there's ample evidence that ain't
>  gonna happen.
> 
>  If you can link the 'correctly' you are suggesting, to some documented,
>  community consensus, please cite it.
> 
> 
>  d/
> 
>  --
>  Dave Crocker
>  Brandenburg InternetWorking
>  bbiw.net
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email