Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
"Murray S. Kucherawy" <superuser@gmail.com> Tue, 03 September 2019 15:58 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C18B1208F2 for <dmarc@ietfa.amsl.com>; Tue, 3 Sep 2019 08:58:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.713
X-Spam-Level:
X-Spam-Status: No, score=0.713 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o58WCHb-WfFj for <dmarc@ietfa.amsl.com>; Tue, 3 Sep 2019 08:58:12 -0700 (PDT)
Received: from mail-vs1-xe41.google.com (mail-vs1-xe41.google.com [IPv6:2607:f8b0:4864:20::e41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 699BA120829 for <dmarc@ietf.org>; Tue, 3 Sep 2019 08:58:12 -0700 (PDT)
Received: by mail-vs1-xe41.google.com with SMTP id r17so8785170vso.1 for <dmarc@ietf.org>; Tue, 03 Sep 2019 08:58:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nysGGpBiiu2Yz3koZ5feuOpzipzBFe2nHe1Y+sjmWCc=; b=m9p8pkpQ+Pb8vR8Fs3exS+eBuhqnlwI7ooI51HdidLz57dBlSgkYjKNO5j9+7d/tQb oMzB5zJQCGJfbMRXq7fkuyD6biK6TjlrNeRLF8JkZtVB/kvU3ot6Uv7AgFwf1lmLH1UT +hKHUa9Qa1r5tLOwANCf2+Lg1j1aIEwhYi7+E7ElBfOLWA61nHY7Be+bKqABYpQPg81L VLbVkVDw1GeF0+F5rVlmi0Q33e3FZlDIKanYPQVa4x6czax2kwSwEQIW7z2bXBDrk2uk xFgqVp+oYg4bNaTHbhrXaQj9bXDmBDSd0UK9PtwKdAJUpNTud711OhyhZY4nwjlUi1W7 yHWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nysGGpBiiu2Yz3koZ5feuOpzipzBFe2nHe1Y+sjmWCc=; b=n+ykzYrZNO+8epzRgj8i+EI3/XDV/oEMmEzU8N7mbw1emvLQciupiFzcfQEJ0PD6/3 HphN8fWVvssuhPeBUyK65/zp8xNN6qIalNj92ITpA2tYX5pG9+ghOq7j4nXIxdowlLh9 9Yzgb+R39wdxT81JgTnvwAnxfnAbpHg7i2DAMZaLwLi5NJDmwD7/kGwHW7U5iMAzM0S1 BXszMyBzDD93uM5xTW4QkNuw0r/I88o0GM8FETSCmoFxtgTtFtL2i4jfMyEnFtMvxGEd gzExfcgSsleCRo2F5e7WOULeB4bStfcLHKQw9US8Y/+UBThT4UJ8knGBSu0Jy+0mlo6b cuOQ==
X-Gm-Message-State: APjAAAV52APQuy8T0zQPD5YktzAWX9y6Py5IChLyUCymoGC8uNm8BAvM MgzZQ10oSE8C7CHrZliidbxCVqL6q6/m7llTtkg=
X-Google-Smtp-Source: APXvYqw/8oq4uwjk2Ofa6p7OucaZku3NPps5ZaatsJhn4EzLxJGKGFpM9BL0CUkpp46KWspv93r/Bsvcp/v2LlEdeF8=
X-Received: by 2002:a67:c98d:: with SMTP id y13mr19314925vsk.52.1567526291353; Tue, 03 Sep 2019 08:58:11 -0700 (PDT)
MIME-Version: 1.0
References: <728d7df1-d563-82f4-bfb3-a65a75fdd662@gmail.com>
In-Reply-To: <728d7df1-d563-82f4-bfb3-a65a75fdd662@gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Tue, 03 Sep 2019 08:57:59 -0700
Message-ID: <CAL0qLwacbAT04tckpPcRcnOt=1QByOBeJ7uDf6rNK6NRwtxZYg@mail.gmail.com>
To: Dave Crocker <dcrocker@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c5cbfb0591a82785"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/oggLtCXy-vYyEBKLhtGinalIy_c>
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 15:58:22 -0000
On Tue, Aug 13, 2019 at 7:02 PM Dave Crocker <dcrocker@gmail.com> wrote: > Review of: DMARC (Domain-based Message Authentication, Reporting, and > Conformance) Extension For PSDs (Public Suffix Domains) > I-D: draft-ietf-dmarc-psd-06 > Reviewer: D. Crocker > Review Date: 12 August 2019 > Dave, Thanks for your feedback about draft-ietf-dmarc-psd on August 13. Though Working Group Last Call closed on July 17th, the chairs have taken careful consideration of your feedback before allowing the document to proceed. We take these as the main points of your comments (and please correct us if we have missed any): 1. The current design of DMARC observes a clear division of functions between itself and the PSL. Specifically, as you point out, DMARC relies on a PSL existing and being available as input, but provides no guidance regarding selection of a PSL source nor of its content management policy. Also, the only operation available on the list is a test of membership (i.e., “is this domain on the list?”). Both of these tenets contribute to simplicity in DMARC’s current design. 2. The PSD proposal attempts to resolve use cases that have appeared since the publication of RFC7489 by prescribing the conditions under which an additional check for a policy record at a new (related) location should be done. This violates the tenets of (1) above. 3. This additional lookup, in those cases where it is done, increases substantially the complexity of DMARC implementations, and that complexity comes with non-trivial cost. 4. The use case(s) sustained by this change are not clearly substantial or beneficial enough to warrant enshrining this as a change to DMARC, even with only Experimental status. There has also been very little indication of interest for implementation of the experiment. On review (and our apologies for the duration of that review), we believe the current draft does attempt to address your concerns, but does not make this clear in its current form. Given our responses to your points below, and if you agree, perhaps you can help us to compose alternative text that improves that situation. For the first two points, we concur. On the issue of the second violating the tenets of the first, we suggest that the outcome of the experiment can be used to drive an evolution of the PSL into a new form and perhaps new update policies. That is, rather than driving a change to DMARC itself, the experiment’s results (if successful) can drive a change to the PSL, or perhaps inform development of an alternative to it. >From a higher level view, the experiment can be seen as the temporary construction of an augmented PSL (i.e., the actual PSL coupled with the queryable registry described in Appendix B), which DMARC then can consume to resolve the use cases that have appeared which now need to be addressed. The portion of the experiment comprising an augmentation to DMARC’s algorithm would therefore not be part of DMARC permanently. Then, if the experiment proves effective, that would become prima facie evidence that the PSL, augmented with this additional information, would enable DMARC to resolve those use cases. Such an augmented PSL would still conform to the desirable separation of functions to which you alluded. The working group originally discussed other alternative ways to augment or even replace the PSL, such as creating a queryable IANA registry controlled under our own terms. The WG did not achieve consensus on such a proposal. Should this experiment bear fruit, that discussion could (and should) be revisited. Also, to be clear, any effort to augment the format, content, or management of the PSL would require collaboration with the Mozilla Foundation, as they are its de facto maintainers; absent such collaboration, or if our proposal is not accepted, we must revisit the notion of creating our own version of it and coming up with workable query and update mechanisms and policies. On the third point, we respectfully disagree. An informal canvassing of some members of the DNS community has been done and the consensus opinion suggests that the additional operational overhead proposed here is negligible. This is, indeed, a far cry from the resistance with which the original DKIM policy work was met, wherein even a one-level tree walk upward drew heavy criticism. Code-wise, DNS queries are well understood processes by now, and adding one more to the implementations of those packages with active representation in the working group has not been seen as costly enough to be a concern. And it seems logical that conducting this experiment will indeed help to confirm whether the additional query is an apparent burden on either implementers or operators. On the final point, we suggest that the WG considers this an intentional part of the experiment’s design. The set of use cases to which the experiment applies is deliberately constrained, which of course will limit the apparent effectiveness of the technique being proposed. However, if it is effective for the small number of domains that are part of the experiment, and with a relatively limited set of implementers, this constitutes evidence that a wider trial involving more prominent PSL entries and larger operators would be warranted as part of the development of DMARCbis. In addition, there are a few very large players in the space who are unfortunately reticent to declare publicly that they are interested in seeing this evolutionary experiment proceed. These include large email providers and operators of sizable TLDs in need of the capabilities pursued here. This provides some weight to the idea that this will not be simply a niche experiment. If none of the above are enough to assuage your concerns, we would appreciate any suggestions you might have about an alternative experiment that might be run to address the use cases both you and the draft have described. Lastly, we note that the idea of “walk up one node” came from an email thread in December[1] wherein you suggested that approach, and which the PSD draft now follows. We are thus a little surprised by the assertion that it should not proceed at all. Was there some content of that thread that was not taken into account that would make it palatable? -MSK, co-chair [1] https://mailarchive.ietf.org/arch/msg/dmarc/pQpKag3acqIISxb-SOrJ3mHFayI
- [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Hector Santos
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Chudow, Eric B CIV NSA DSAW (USA)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd John Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd John Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd John Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd John R Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Brandon Long
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Ian Levy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Craig Schwartz
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Andrew Kennedy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dotzero
- Re: [dmarc-ietf] Org domaines, not really Comment… John Levine
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Craig Schwartz
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Dave Crocker
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Chudow, Eric B CIV NSA DSAW (USA)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Hector Santos
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Alessandro Vesely
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Jane Moneypenny
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Murray S. Kucherawy
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Alessandro Vesely
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Kurt Andersen (b)
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Tim Wicinski
- Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd Scott Kitterman
- Re: [dmarc-ietf] Comment on DMARCbis, was draft-i… Jane Moneypenny