Re: [dmarc-ietf] DMARC threat analysis needed
Doug Foster <fosterd@bayviewphysicians.com> Fri, 17 July 2020 18:57 UTC
Return-Path: <btv1==46712d5acd3==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F06763A0062 for <dmarc@ietfa.amsl.com>; Fri, 17 Jul 2020 11:57:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqf_sBn69dfN for <dmarc@ietfa.amsl.com>; Fri, 17 Jul 2020 11:57:35 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75D2D3A0061 for <dmarc@ietf.org>; Fri, 17 Jul 2020 11:57:35 -0700 (PDT)
X-ASG-Debug-ID: 1595012253-11fa313a103fb0c0001-K2EkT1
Received: from webmail.bayviewphysicians.com (webmail.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id eFg3E5Jns5LOCMS8 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Fri, 17 Jul 2020 14:57:33 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:subject:to:from; bh=scQKeBPeCg4PeYiS+zpD4wa53yk/h02Q5M/EeVGr5Nc=; b=B1MQiZvJJ3FmSV7Ea426We26kGCHMsWLPlyF4UMwn2huv1+m6c8Nqw8B/lr8OrTjv KzfkVivKlqdDeYlgmwhUnEQvFtnKqvKoJNLAtCS9ff2WjA+CMlD0UfJ91Fxa4Dknj itwXT2DwLmw1WqO+sHy9mxpqLxQyuaXEF0tI3Q79Q=
Received: from MSA189 (UnknownHost [192.168.2.108]) by webmail.bayviewphysicians.com with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256); Fri, 17 Jul 2020 14:57:26 -0400
From: Doug Foster <fosterd@bayviewphysicians.com>
X-Barracuda-RBL-IP: 192.168.2.108
To: dmarc@ietf.org
References: <ab2296fb-201a-3bfb-f61c-27848ac5acf3@bluepopcorn.net> <5F11CB6C.3050101@isdg.net>
In-Reply-To: <5F11CB6C.3050101@isdg.net>
Date: Fri, 17 Jul 2020 14:57:25 -0400
X-ASG-Orig-Subj: RE: [dmarc-ietf] DMARC threat analysis needed
Message-ID: <003001d65c6c$1c5f2870$551d7950$@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQC3u6y5BaD8VeOrNq3nQJhb0ovUHwIETSi1qzk0iOA=
Content-Language: en-us
X-Exim-Id: 003001d65c6c$1c5f2870$551d7950$
X-Barracuda-Connect: webmail.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1595012253
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 5152
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.83268 Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/oVWkpHZaWfF7n9NLt34W7IjNXiU>
Subject: Re: [dmarc-ietf] DMARC threat analysis needed
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2020 18:57:37 -0000
Hector, I think I am reading RFC 5016 section 5.3 differently from you. My paraphrase: This SSP assertion is allowed: "Example.com says: Example.com messages can be considered authorized if and only if they have a signature from our domain." This SSP assertion is not allowed: "Example.com says: Example.com messages can be considered authorized if and only if they have a signature from our domain, and DO NOT have a signature from OtherGuy.com domain" The second assertion is not allowed because Example.com should not be "impugning" the validity of a signature from OtherGuy.com. Example.com is not empowered to be a reputation service for unrelated entities. However, the language of this section directly supports the DMARC implementation. To solve the MLM problem, you need to explain how MLMs become authorized by the author domain to send on behalf of the author, without authorizing spammers to send on behalf of the author. It seems that we have an architectural problem because the current infrastructure assumes a single author. In reality, we have multiple situations that involve multiple authors. For example, this message includes your entire note, and your note includes part of Jim's note. But those notes no longer have valid digital signatures, so there is no proof that I have represented you correctly, and it is technically possible for me to rewrite your comments entirely. A similar problem occurs if my spam filter adds content to a message as it arrives into my domain, content that is really intended for "internal use only". The additions will break incoming signatures, although this is tolerable because signatures are not checked again, as long as the message remains internal. But if a message is auto-forwarded to another domain, the additions are probably inappropriate and the message no longer passes Sender Authentication. I would like to be able to preserve the original signature throughout, and remove the internal spam filter content when the message leaves the internal domain. Consequently, I am dreaming about an architecture that allows mediators to add content under their own signature without voiding the signature of other sections. The concept is a combination of John's ARC project, which uses nested signatures , and Murray's tagged content, which acts as a change log. It would allow an MUA to clearly identify the content contributed by the different authors, and it would contribute to solving the MLM problem. It is easier to imagine how it could be used to identify additions, such as a message footer, then to identify alternations, such as a URL rewrite. And the whole thing may be too complicated to implement in a way that is upward compatible with the present architecture. But it would be a better model of reality. Doug Foster -----Original Message----- From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Hector Santos Sent: Friday, July 17, 2020 12:02 PM To: dmarc@ietf.org Subject: Re: [dmarc-ietf] DMARC threat analysis needed On 7/15/2020 8:14 PM, Jim Fenton wrote: > Unburying this from a different thread. > > I'm really struggling to understand what problem(s) DMARC is trying to > solve. The most common answer I have heard says something about > "defending brand identity", which is a marketing, not a technical > consideration. > > IMO we need a threat analysis, ala RFC 4686 or RFC 5016, to define the > technical requirements. I am NOT volunteering to do this. Jim, if we review both RFC4686 and RC5016, I believe we might find there is not much to be changed. However, imo, something will have to be done regarding RFC5016 section 5.3 item: https://tools.ietf.org/html/rfc5016#section-5.3 5.3. Practice and Expectation Requirements 10. SSP MUST NOT provide a mechanism that impugns the existence of non-first party signatures in a message. A corollary of this requirement is that the protocol MUST NOT link practices of first party signers with the practices of third party signers. INFORMATIVE NOTE: the main thrust of this requirement is that practices should only be published for that which the publisher has control, and should not meddle in what is ultimately the local policy of the receiver. This provision with strict protocol language "MUST NOT" prohibits any DKIM Policy protocol, formally called SSP "Sender Signing Practices" and now today, DMARC, from impugning on 3rd party policies such as how a MLM operator via local policy exceptions can ignorantly and blinding destroy the integrity and resign the mail instead of just honoring it. This language would have be updated or removed and just leave the implicit idea that local policy always prevails in all SMTP situations. Have a good weekend, be safe. -- Hector Santos, https://secure.santronics.com https://twitter.com/hectorsantos _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
- Re: [dmarc-ietf] DMARC threat analysis needed Doug Foster
- [dmarc-ietf] DMARC threat analysis needed Jim Fenton
- Re: [dmarc-ietf] DMARC threat analysis needed Dotzero
- Re: [dmarc-ietf] DMARC threat analysis needed Hector Santos
- Re: [dmarc-ietf] DMARC threat analysis needed Jim Fenton
- Re: [dmarc-ietf] DMARC threat analysis needed Jim Fenton
- Re: [dmarc-ietf] DMARC threat analysis needed Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC threat analysis needed Alessandro Vesely
- Re: [dmarc-ietf] DMARC threat analysis needed Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC threat analysis needed Alessandro Vesely
- Re: [dmarc-ietf] DMARC threat analysis needed Brandon Long
- Re: [dmarc-ietf] DMARC threat analysis needed Murray S. Kucherawy