Re: [dmarc-ietf] Prove me wrong!
Brandon Long <blong@fiction.net> Tue, 15 August 2017 23:55 UTC
Return-Path: <blong@fiction.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9FAD1323AC for <dmarc@ietfa.amsl.com>; Tue, 15 Aug 2017 16:55:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level:
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiction.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBFCHdcUmfCB for <dmarc@ietfa.amsl.com>; Tue, 15 Aug 2017 16:55:31 -0700 (PDT)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61DCC13232D for <dmarc@ietf.org>; Tue, 15 Aug 2017 16:55:31 -0700 (PDT)
Received: by mail-ua0-x236.google.com with SMTP id y36so8526521uac.5 for <dmarc@ietf.org>; Tue, 15 Aug 2017 16:55:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiction.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=56rgi0dA3CiXDPJTRoVGFUO8GiHRzrwFWgpVyl6SAiA=; b=RHKa7XbbmJxYrX+kJ2yTEL90NfDXKE9HZSncenTx0iA4VMCA8qhXh3qgTX5QA9eq43 gltkh64ictyUYIu5qd8TTaNYzA98ZFU8v8VrU9LLEN7Rq6P2MKZsdRkQobPGA8mcROG2 bs7EKMQqAu5mzy9lw+AvYTfXZoBnsaY6F6DFcap8wJ7p9gT28n9ip/crcEk4oJgful4w SKhRNDPoRpLbKXUb6KICbKp8ShOCbEqt/MCQys6c5HBInoFeWgA744gndwcsWDkXNL6k VvfGf3VoxckgTyIk18B/tIp2TtPu8HLRWA+PkHq7LxmjmI4BH3AOI2Uxs/1FVSMSZZ0V op2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=56rgi0dA3CiXDPJTRoVGFUO8GiHRzrwFWgpVyl6SAiA=; b=PIwJNtzRPyhOQeHhQY2bi6GnZjcGvwpk26B57TkNFYVrcAEKE0gEgwG2ORl9s0L5Lp KCmERGoEnJYh4g0QDwUjz5G3OK9agURwW5yxJ/RCsRevf3s4jOXysTKVNGmRMWR68qr7 fjFp7JFIXnRVdyBF77ZR+fhimpbBsmtH2yoCpu627KSq4ZQRmj0f1AV0/uoeBfXY6Qmo cX/XgK5N41tSt8z4/qvisVGF+kaKwW4UBWKahYRkd7eA7WgAuXp6VgHDThvD0svU17FC J7o/5jo0RKjMExph9n0XMiJ7QuDfUnPxmw+b3zZgLgUHWDFK5UmdilES17wuJmMNz6GR r07A==
X-Gm-Message-State: AHYfb5hJIosbAgnUsbG22WuYCDJrB6Y3dZqOb7PXEaoxIGau6yBliy12 Sgu8qSRMI3x5c0nH3MyCOA==
X-Received: by 10.176.88.66 with SMTP id p2mr21799257uac.181.1502841330311; Tue, 15 Aug 2017 16:55:30 -0700 (PDT)
Received: from mail-vk0-f54.google.com (mail-vk0-f54.google.com. [209.85.213.54]) by smtp.gmail.com with ESMTPSA id x16sm2337080vke.37.2017.08.15.16.55.29 for <dmarc@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Aug 2017 16:55:29 -0700 (PDT)
Received: by mail-vk0-f54.google.com with SMTP id r199so7432184vke.4 for <dmarc@ietf.org>; Tue, 15 Aug 2017 16:55:29 -0700 (PDT)
X-Received: by 10.31.202.69 with SMTP id a66mr17649613vkg.66.1502841329181; Tue, 15 Aug 2017 16:55:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.135.139 with HTTP; Tue, 15 Aug 2017 16:55:28 -0700 (PDT)
In-Reply-To: <1502762779.1086232.1073552432.22DE7E98@webmail.messagingengine.com>
References: <1502762779.1086232.1073552432.22DE7E98@webmail.messagingengine.com>
From: Brandon Long <blong@fiction.net>
Date: Tue, 15 Aug 2017 16:55:28 -0700
X-Gmail-Original-Message-ID: <CABa8R6vYDQaj64ahhivONp4DVv0-zrv8D8ZFZOAT71xC0q+FfA@mail.gmail.com>
Message-ID: <CABa8R6vYDQaj64ahhivONp4DVv0-zrv8D8ZFZOAT71xC0q+FfA@mail.gmail.com>
To: Bron Gondwana <brong@fastmailteam.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="001a114dd64a951b820556d383b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/orzDdpzNx09AF0XrhLaspMbkwFQ>
Subject: Re: [dmarc-ietf] Prove me wrong!
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 23:55:35 -0000
Since AMS i=1 doesn't pass, the information included in Set 2 only says that site3 claims that site2 said that spf passed, whereas in Set 1, the AS allows you to verify that site2 actually claimed that spf passed. Now, since the i=1 AMS doesn't pass, it is true that the i=1 headers in both cases could have been either made out of whole cloth (in Set 2) or copied from an existing message (in Set 1). Your formulation also means that who asserted anything in i=1 is now missing. You could include information in the i=1 aar on who made the assertion (srv-id?) or not strip the broken AMS for i=1. Looking at my whitelist based local policy override code, it doesn't care about the seal, the seal is only used to verify the intact arc chain. So, assuming some changes to what you're saying, your handling of a single message is not different based on the two versions above. That is not the only utility of the arc chain, however. AS allows me to verify that what was asserted was asserted by the actual service, but not that that assertion applies to this message. The fact that it applies to this message is based on trusting the services which handled receipt, yes. But your version allows a malicious actor to invent the path the message went through. With AS, they have to copy an existing chain, without it they can just write whatever they want. This distinction becomes more important when using the information as training data for learning which paths to trust and which not to trust. The AS certainly contains more information there, but perhaps that more information is only useful for the largest actors, and then maybe only as some small percentage of decreased false positives or the ability to allow trust further down the long tail. Without sufficient data and implementation, it's hard to judge whether the utility of this extra information is useful. Brandon On Mon, Aug 14, 2017 at 7:06 PM, Bron Gondwana <brong@fastmailteam.com> wrote: > Seth pointed out that my emails have been long and contained many points, > so I'd like to keep this really simple. > > I will propose two sets of headers on the same message, and I ask if > anybody can find a case where the set with AS headers provides some > information which is not present in the set without. Assume you are a > receiver at site5.com who just received this message on your MX and are > validating it. > > Set 1: > > AS: i=3; cv=pass; d=site4.com > AMS: i=3; d=site4.com > AAR: i=3; arc=pass (spf=fail spfdomain=site1.com dmarc=fail fromdomain= > site1.com) > AS; i=2; cv=pass; d=site3.com > AMS: i=2; d=site3.com > AAR i=2; arc=pass (spf=fail spfdomain=site1.com dmarc=pass fromdomain= > site1.com) > AS; i=1; cv=none; d=site2.com > AMS: i=1; d=site2.com > AAR i=1; arc=none (spf=pass spfdomain=site1.com dmarc=pass fromdomain= > site1.com) > DKIM-Signature: d=site1.com > From: <foo@site1.com> > > Set 2: > > AMS: i=3; d=site4.com; h=aar:aar:aar:to:from:etc > AAR: i=3; arc=pass (arcdomain=site3.com spf=fail spfdomain=site1.com > dmarc=fail fromdomain=site1.com) > AMS: i=2; d=site3.com; h=aar:aar:to:from:etc > AAR: i=2; arc=pass (arcdomain=site2.com spf=fail spfdomain=site1.com > dmarc=pass fromdomain=site1.com) > AAR: i=1; arc=none (spf=pass spfdomain=site1.com dmarc=pass fromdomain= > site1.com) > DKIM-Signature: d=site1.com > From: <foo@site1.com> > > In each case the AMS with i=2 and the AMS with i=3 are valid. > > I would love to see a case where Set 1 gives information that Set 2 > doesn't, because that would prove that my understanding was incorrect. > > Regards, > > Bron. > > -- > Bron Gondwana, CEO, FastMail Pty Ltd > brong@fastmailteam.com > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > >
- [dmarc-ietf] Prove me wrong! Bron Gondwana
- Re: [dmarc-ietf] Prove me wrong! Brandon Long
- Re: [dmarc-ietf] Prove me wrong! Bron Gondwana