IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC threat analysis needed

Doug Foster <fosterd@bayviewphysicians.com> Fri, 17 July 2020 18:57 UTC

Return-Path: <btv1==46712d5acd3==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F06763A0062 for <dmarc@ietfa.amsl.com>; Fri, 17 Jul 2020 11:57:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqf_sBn69dfN for <dmarc@ietfa.amsl.com>; Fri, 17 Jul 2020 11:57:35 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75D2D3A0061 for <dmarc@ietf.org>; Fri, 17 Jul 2020 11:57:35 -0700 (PDT)
X-ASG-Debug-ID: 1595012253-11fa313a103fb0c0001-K2EkT1
Received: from webmail.bayviewphysicians.com (webmail.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id eFg3E5Jns5LOCMS8 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Fri, 17 Jul 2020 14:57:33 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:subject:to:from; bh=scQKeBPeCg4PeYiS+zpD4wa53yk/h02Q5M/EeVGr5Nc=; b=B1MQiZvJJ3FmSV7Ea426We26kGCHMsWLPlyF4UMwn2huv1+m6c8Nqw8B/lr8OrTjv KzfkVivKlqdDeYlgmwhUnEQvFtnKqvKoJNLAtCS9ff2WjA+CMlD0UfJ91Fxa4Dknj itwXT2DwLmw1WqO+sHy9mxpqLxQyuaXEF0tI3Q79Q=
Received: from MSA189 (UnknownHost [192.168.2.108]) by webmail.bayviewphysicians.com with SMTP (version=TLS\Tls12 cipher=Aes256 bits=256); Fri, 17 Jul 2020 14:57:26 -0400
From: Doug Foster <fosterd@bayviewphysicians.com>
X-Barracuda-RBL-IP: 192.168.2.108
To: dmarc@ietf.org
References: <ab2296fb-201a-3bfb-f61c-27848ac5acf3@bluepopcorn.net> <5F11CB6C.3050101@isdg.net>
In-Reply-To: <5F11CB6C.3050101@isdg.net>
Date: Fri, 17 Jul 2020 14:57:25 -0400
X-ASG-Orig-Subj: RE: [dmarc-ietf] DMARC threat analysis needed
Message-ID: <003001d65c6c$1c5f2870$551d7950$@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQC3u6y5BaD8VeOrNq3nQJhb0ovUHwIETSi1qzk0iOA=
Content-Language: en-us
X-Exim-Id: 003001d65c6c$1c5f2870$551d7950$
X-Barracuda-Connect: webmail.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1595012253
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 5152
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.83268 Rule breakdown below pts rule name description ---- ---------------------- --------------------------------------------------
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/oVWkpHZaWfF7n9NLt34W7IjNXiU>
Subject: Re: [dmarc-ietf] DMARC threat analysis needed
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2020 18:57:37 -0000

Hector, I think I am reading RFC 5016 section 5.3 differently from you.   My
paraphrase:

This SSP assertion is allowed:
"Example.com says:  Example.com messages can be considered authorized if and
only if they have a signature from our domain."

This SSP assertion is not allowed:
"Example.com says:  Example.com messages can be considered authorized if and
only if they have a signature from our domain, and DO NOT have a signature
from OtherGuy.com domain"

The second assertion is not allowed because Example.com should not be
"impugning" the validity of a signature from OtherGuy.com.   Example.com is
not empowered to be a reputation service for unrelated entities.

However, the language of this section directly supports the DMARC
implementation. 

To solve the MLM problem, you need to explain how MLMs become authorized by
the author domain to send on behalf of the author, without authorizing
spammers to send on behalf of the author.

It seems that we have an architectural problem because the current
infrastructure assumes a single author.     In reality, we have multiple
situations that involve multiple authors.   For example, this message
includes your entire note, and your note includes part of Jim's note.   But
those notes no longer have valid digital signatures, so there is no proof
that I have represented you correctly, and it is technically possible for me
to rewrite your comments entirely.

A similar problem occurs if my spam filter adds content to a message as it
arrives into my domain, content that is really intended for "internal use
only".   The additions will break incoming signatures, although this is
tolerable because signatures are not checked again, as long as the message
remains internal.   But if a message is  auto-forwarded to another domain,
the additions are probably inappropriate and the message no longer passes
Sender Authentication.   I would like to be able to preserve the original
signature throughout, and remove the internal spam filter content when the
message leaves the internal domain.

Consequently, I am dreaming about an architecture that allows mediators to
add content under their own signature without voiding the signature of other
sections.   The concept is a combination of John's ARC project, which uses
nested signatures , and Murray's tagged content, which acts as a change log.
It would allow an MUA to clearly identify the content contributed by the
different authors, and it would contribute to solving the MLM problem.    It
is easier to imagine how it could be used to identify additions, such as a
message footer, then to identify alternations, such as a URL rewrite.   And
the whole thing may be too complicated to implement in a way that is upward
compatible with the present architecture.   But it would be a better model
of reality.

Doug Foster



-----Original Message-----
From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Hector Santos
Sent: Friday, July 17, 2020 12:02 PM
To: dmarc@ietf.org
Subject: Re: [dmarc-ietf] DMARC threat analysis needed

On 7/15/2020 8:14 PM, Jim Fenton wrote:
> Unburying this from a different thread.
>
> I'm really struggling to understand what problem(s) DMARC is trying to 
> solve. The most common answer I have heard says something about 
> "defending brand identity", which is a marketing, not a technical 
> consideration.
>
> IMO we need a threat analysis, ala RFC 4686 or RFC 5016, to define the 
> technical requirements. I am NOT volunteering to do this.

Jim, if we review both RFC4686 and RC5016, I believe we might find there is
not much to be changed. However, imo, something will have to be done
regarding RFC5016 section 5.3 item:

   https://tools.ietf.org/html/rfc5016#section-5.3
   5.3.  Practice and Expectation Requirements

   10. SSP MUST NOT provide a mechanism that impugns the existence of
       non-first party signatures in a message.  A corollary of this
       requirement is that the protocol MUST NOT link practices of first
       party signers with the practices of third party signers.

        INFORMATIVE NOTE: the main thrust of this requirement is that
        practices should only be published for that which the publisher
        has control, and should not meddle in what is ultimately the
        local policy of the receiver.

This provision with strict protocol language "MUST NOT" prohibits any DKIM
Policy protocol, formally called SSP "Sender Signing Practices" 
and now today, DMARC, from impugning on 3rd party policies such as how a MLM
operator via local policy exceptions can ignorantly and blinding destroy the
integrity and resign the mail instead of just honoring it.

This language would have be updated or removed and just leave the implicit
idea that local policy always prevails in all SMTP situations.

Have a good weekend, be safe.

--
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos


_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email