IETF Logo Mail Archive

Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries - Effort and Policy

Terry Zink <tzink@exchange.microsoft.com> Tue, 19 May 2015 19:02 UTC

Return-Path: <tzink@exchange.microsoft.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B46571A8BBF for <dmarc@ietfa.amsl.com>; Tue, 19 May 2015 12:02:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.699
X-Spam-Level: *
X-Spam-Status: No, score=1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, J_CHICKENPOX_37=0.6, J_CHICKENPOX_44=0.6, J_CHICKENPOX_48=0.6, J_CHICKENPOX_54=0.6, J_CHICKENPOX_64=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id emjFbgxzl0TZ for <dmarc@ietfa.amsl.com>; Tue, 19 May 2015 12:02:01 -0700 (PDT)
Received: from na01-by1-obe.outbound.o365filtering.com (na01-by1-obe.ptr.o365filtering.com [64.4.22.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 875BF1ACE1A for <dmarc@ietf.org>; Tue, 19 May 2015 12:00:58 -0700 (PDT)
Received: from BLUSR01MB601.namsdf01.sdf.exchangelabs.com (10.255.124.166) by BLUSR01MB602.namsdf01.sdf.exchangelabs.com (10.255.124.167) with Microsoft SMTP Server (TLS) id 15.1.178.2; Tue, 19 May 2015 19:00:56 +0000
Received: from BLUSR01MB601.namsdf01.sdf.exchangelabs.com ([169.254.1.161]) by BLUSR01MB601.namsdf01.sdf.exchangelabs.com ([169.254.1.161]) with mapi id 15.01.0178.004; Tue, 19 May 2015 19:00:56 +0000
From: Terry Zink <tzink@exchange.microsoft.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Thread-Topic: [dmarc-ietf] Looking for degrees of freedom with Intermediaries - Effort and Policy
Thread-Index: AQHQkSLjmR8NgZwmBEqnwBkgIc5yZJ2CdTYQgAAL4QCAAE1PAYAAAuMAgABflICAAB0JAIAALQsQgAAc9ICAAAbY0IAABTkAgAACBJA=
Date: Tue, 19 May 2015 19:00:55 +0000
Message-ID: <BLUSR01MB6013616DB0595915B05943396C30@BLUSR01MB601.namsdf01.sdf.exchangelabs.com>
References: <555656FC.5010609@dcrocker.net> <CAL0qLwZSG_X-sfcZHPaYxvbdFg9K8bFsLMO2KhGczOnxgVqkkw@mail.gmail.com> <BL2SR01MB605A700BA2C4C0775AC71DA96C30@BL2SR01MB605.namsdf01.sdf.exchangelabs.com> <CAL0qLwaLT3KPVFtobLO2PfSXkhRSn0BPojmOZwMqDytbNVt-DA@mail.gmail.com> <1432015208815.92898@exchange.microsoft.com> <CAL0qLwa0K32PMEHqNGdzPnmFHTNnsfJVO7mgjWm8Bz5qWs5-zw@mail.gmail.com> <BB1FE7AA-98BD-4061-919B-8E513F755877@kitterman.com> <CAL0qLwabuvNbBJj=CM406oK0p56kxjX8US4A2EjFY9LB3q9yfg@mail.gmail.com> <BL2SR01MB605E2B914F599D1870665F296C30@BL2SR01MB605.namsdf01.sdf.exchangelabs.com> <CAL0qLwYXYnyae8GrEvtOryhBbO23jtW=m9cMJ8agLr2drK+Xpg@mail.gmail.com> <BL2SR01MB605139131216D39D517127396C30@BL2SR01MB605.namsdf01.sdf.exchangelabs.com> <CAL0qLwYtRvpOGy2R2qpLmTXt124zGnUi2g+ZkTCJtb_6=HBikw@mail.gmail.com>
In-Reply-To: <CAL0qLwYtRvpOGy2R2qpLmTXt124zGnUi2g+ZkTCJtb_6=HBikw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.192.30]
x-microsoft-exchange-diagnostics: 1; BLUSR01MB602; 3:RoUzyjBqMFl+vegN38eBVoj4yzUuYXxl3fowUzSCV3QCgcg/8jpWpYxeDerzfvKw8VVIVTFTCmAO0LhZyTAS2oZSPvuaJSIjbqNPR33bE+hJko5Emm9eXMwmkKbpTQwmxN4Ed2dU1w34fD8Trbivlw==; 10:A35Ob2fDdsBCLMRsmIZ5NPqNRvKjmRx01hbCKTt+GQywJLfAC9T8rFQ537coE3cz7XOB1G2wkaPFO/E9VN/xO5/3Xe2Kyhi8X/VbAdr8qLo=; 6:VNvYbQsIHULRUWvTa2X+JGsVIDr4fyD2ebbkQ1Hr1NkHjOW6T2L8z1YIjX5mkOmV
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUSR01MB602;
x-microsoft-antispam-prvs: <BLUSR01MB6024E53D65B29A9DA9C0DC296C30@BLUSR01MB602.namsdf01.sdf.exchangelabs.com>
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(199003)(24454002)(377454003)(189002)(54356999)(50986999)(76176999)(46102003)(105586002)(19617315012)(106356001)(85806002)(2656002)(1411001)(87936001)(106116001)(66066001)(16236675004)(19609705001)(64706001)(33656002)(101416001)(19300405004)(93886004)(19580395003)(19580405001)(19625215002)(92566002)(5001920100001)(5001960100002)(110136002)(97736004)(81156007)(4001540100001)(5001830100001)(16601075003)(5001860100001)(2950100001)(62966003)(2900100001)(102836002)(189998001)(15975445007)(86362001)(77156002)(68736005)(5890100001)(48203002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUSR01MB602; H:BLUSR01MB601.namsdf01.sdf.exchangelabs.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(5005002)(5002009)(3002001); SRVR:BLUSR01MB602; BCL:0; PCL:0; RULEID:; SRVR:BLUSR01MB602;
x-forefront-prvs: 0581B5AB35
received-spf: None (protection.outlook.com: exchange.microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tzink@exchange.microsoft.com;
Content-Type: multipart/alternative; boundary="_000_BLUSR01MB6013616DB0595915B05943396C30BLUSR01MB601namsdf_"
MIME-Version: 1.0
X-OriginatorOrg: exchange.microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2015 19:00:55.7356 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f686d426-8d16-42db-81b7-ab578e110ccd
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUSR01MB602
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/npYMLEwtAxm6pJb_ph4QyybQ0E4>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>, Scott Kitterman <sklist@kitterman.com>
Subject: Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries - Effort and Policy
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 May 2015 19:02:03 -0000

I think we’re making progress here. So, a message would look like this:

From: joe@authordomain.example
Authentication-Results: spf=pass (sender IP is xx.xx.xx.xx) smtp.mailfrom=mlm.example;
    dkim=fail (invalid body hash) header.d=authordomain.example
    dkim=pass (signature was verified) header.d=authordomain.example;
    dkim=pass (signature was verified) header.d=mlm.example;
    dmarc=pass header.from=authordomain.example (action=none cd=mlm.example)
DKIM-Signature: v=1; d=authordomain.example; s=selector; ...
DKIM-Signature: v=2; d=authordomain.example; s=selector; !cd=mlm.example; l=0; t=<now+30 seconds>
DKIM-Signature: v=1; d=mlm.example; s=foobar; ...
Some questions:


1.       This should be resistant to a replay attack 12 hours in the future because the “t=<now+30 seconds>” is part of the DKIM signature for v=2, and if a phisher copy/pastes it and changes “v=2” to “v=1”, the “t= “ part will be long past. Right?


2.       This will be susceptible to a replay attack for 30 seconds after initially sending it out, but only to the mailing list. Right?


3.       Verifiers need to know (enforce?) that a DKIM signature of “v=2 !cd=<blah>” is not enough to verify a real signature without the corresponding “v=1 d=<blah>” additional DKIM signature. In other words “v=2 !cd=<blah>” is useless unless paired with something else. Right?


4.       How should reputation engines accrue this message? To authordomain.example (the one in the header.from)? Or to mlm.example, the one in the smtp.mailfrom and DKIM d= domain that contained the strong signature?


5.       Verifiers will need to check at least 3 DKIM signatures. Is there a limit on the amount of signatures they should check? Presumably we wouldn’t want a verifier to check 30 signatures.


6.       What is the proposed t= time limit? Is 30 seconds enough? Too long? Too little?

-- Terry

From: Murray S. Kucherawy [mailto:superuser@gmail.com]
Sent: Tuesday, May 19, 2015 11:39 AM
To: Terry Zink
Cc: Scott Kitterman; dmarc@ietf.org
Subject: Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries - Effort and Policy

On Tue, May 19, 2015 at 11:24 AM, Terry Zink <tzink@exchange.microsoft.com<mailto:tzink@exchange.microsoft.com>> wrote:
> Sure, but can it just be in a comment if you find that useful, or is it necessary to
> make that fact something a consumer of the field can parse out?
Putting it into a comment is fine, maybe something like “dmarc=pass action=none header.from=<domain.com<http://domain.com>> conditional.to<http://conditional.to>=<mailinglist.net<http://mailinglist.net>>”. I think it’s permissible to add additional fields like that into A-R, isn’t it?

More like:
dmarc=pass header.from=<domain> (action=<foo>, cd=<domain2>)
 > I've always found the details of how it came to that conclusion to be of only secondary interest

I agree with the reasons you outline, but when debugging and troubleshooting potentially tens, hundreds, or thousands of messages per day, it’s no longer secondary. It’s also easier to collect statistics on how many messages are conditionally passing DMARC and what mailing list or forwarder it is attached to.

You can create whatever structure you want in the comment (between parentheses).
-MSK

v2.43.4 | Report a Bug | By Email | System Status