IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

"Kurt Andersen (b)" <kboth@drkurt.com> Mon, 20 August 2018 19:48 UTC

Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B906127148 for <dmarc@ietfa.amsl.com>; Mon, 20 Aug 2018 12:48:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19oU60X1hp3j for <dmarc@ietfa.amsl.com>; Mon, 20 Aug 2018 12:48:20 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40E89130DC6 for <dmarc@ietf.org>; Mon, 20 Aug 2018 12:48:20 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id f8-v6so12526573ljk.1 for <dmarc@ietf.org>; Mon, 20 Aug 2018 12:48:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:from:date:message-id:subject:to:cc; bh=En6UKHLc01EUIy4udtoYSEXFVssPIkh+CSFFAth8N0w=; b=WhtNmgtLopau/DSspsa5eWT3Pzrscytg2FiBTW2uDiFQSbNkr1hE5TE116cy5RFvfb AtGyWzhXiCcUiwCQx8f2W3DEMxcbKM1isMLmgGxMnbGAxTcXVX1tz7I1IguR/T3trHVJ kWePP6IruosPx1U4k0+PeoCrkAEiFWq2XuakA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:cc; bh=En6UKHLc01EUIy4udtoYSEXFVssPIkh+CSFFAth8N0w=; b=mg4hH+ZNm63bdNv4CpQIUR9jLnhEn9KTklEqtF2GxOzSlazJuHVXwnthQ2dumWFESS Iwmx3ymjeoG1xvF/1zDYQe4p1gJN7Txpu7+s90KAD+saD+YrJAG20Mczj623iIw83yJg aIdcVnozJ1Jg90Ruz82F93CPGiukeysztWbKBwk7Yj/kB2oWoParX3Aj8ZfuFAoeXMvw //cDCYznF3KmP707uQBKNx5FAnc7nOPdW3vcwl5oINcPyCTYO9SttG8AgCm8tj54Qmq0 4lc9on0C5Ct6pV25KFh5qjlskiJOJXWc9mAWL4xVrv5Ko8xmE/KKUHRpmUjOvqISk0Sj VtPQ==
X-Gm-Message-State: AOUpUlH+LWfbufk1/tcD0L4vwcnlMIrmYVFGQXAKPhpGdXPuVY4Hud8M k5xcXVUZsvgnKx3Guj2drf2GSqdObaTUAQg5RBx5nSbXHas=
X-Google-Smtp-Source: AA+uWPzeBwF0F2OieJ5o4tLxkRB2jAga8e6Ht3sIdJppUGZAT0PdC4DcZCbtNmgg8bdG3gXwGJjdyEl3kJavJqvXH0w=
X-Received: by 2002:a2e:9f4d:: with SMTP id v13-v6mr31257298ljk.42.1534794497971; Mon, 20 Aug 2018 12:48:17 -0700 (PDT)
MIME-Version: 1.0
Sender: kurta@drkurt.com
Received: by 2002:a19:5943:0:0:0:0:0 with HTTP; Mon, 20 Aug 2018 12:48:17 -0700 (PDT)
From: "Kurt Andersen (b)" <kboth@drkurt.com>
Date: Mon, 20 Aug 2018 12:48:17 -0700
X-Google-Sender-Auth: 5gbCwDYoROyximZrEOSAQLPw2b4
Message-ID: <CABuGu1qZY2PtLJG+A-1aHDKiKY_1VHRPZ5aNJ1ans4pHnczrzQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Cc: Seth Blank <seth@sethblank.com>
Content-Type: multipart/alternative; boundary="000000000000daf80e0573e33065"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/naSppCl1ns0NsFGLP8pTrL1xZJY>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 19:48:22 -0000

Seth and I discussed this topic today and I think that the central problem
that is being debated has to do with *generating* the DMARC report content.
Almost everyone agrees that a broken chain is broken and unredeemable -
whether that breakage is structural or whether it is because of
non-validating signatures. There are three possible levels of processing to
be considered:

   1. validating a particular individual message for delivery to the
   recipient - this is easy: a broken chain conveys no useful information for
   local policy determination
   2. feeding ARC information into some larger reputation/ML system in
   order to provide (what I'll call) a third order policy influence - this one
   depends on whether the reputation system can make any useful conclusions on
   the basis of the broken chain. In some cases (where a signature fails to
   verify) it seems possible, but in many others it seems a bit doubtful
   3. generating the DMARC report data pertinent to this individual message
   - this is where I think that the problem lies. There is a natural desire on
   the part of senders and report processors to want all the data that they
   can possibly get; however, it is easy to devise attack scenarios which
   heavily contaminate the reports if one were to take the content of the
   entire broken ARC chain into the report

My contention to Seth is that in a multi-hop scenario, the *only* report
with meaningful data will be the one from the handler who made the "fail"
determination and any subsequent reports are untrustworthy.

If we are not concerned with "downstream" handlers of a message with a
broken ARC chain, then there is no point in attempting to seal the entirety
of a failed ARC chain.

Do the other folks on this thread agree that our main point of contention
has to do with the ability to generate the DMARC report (or the data
scoping thereof)?

--Kurt

v2.23.0 | Report a Bug | By Email