IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

"John Levine" <johnl@taugh.com> Mon, 30 July 2018 22:26 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6E4C130F61 for <dmarc@ietfa.amsl.com>; Mon, 30 Jul 2018 15:26:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.651
X-Spam-Level:
X-Spam-Status: No, score=-1.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4thB2wRt1vaF for <dmarc@ietfa.amsl.com>; Mon, 30 Jul 2018 15:26:23 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2B29131143 for <dmarc@ietf.org>; Mon, 30 Jul 2018 15:17:28 -0700 (PDT)
Received: (qmail 26021 invoked from network); 30 Jul 2018 22:17:26 -0000
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 30 Jul 2018 22:17:26 -0000
Received: by ary.qy (Postfix, from userid 501) id 713CE200316625; Mon, 30 Jul 2018 18:17:25 -0400 (EDT)
Date: Mon, 30 Jul 2018 18:17:25 -0400
Message-Id: <20180730221726.713CE200316625@ary.qy>
From: John Levine <johnl@taugh.com>
To: dmarc@ietf.org
Cc: seth@sethblank.com
In-Reply-To: <CAD2i3WNSe+of7U8fdTnmUeU3sthUbpEVgdYHT9J6BgLxoeOL3w@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/pWglMjxdSNrcSs6yJR1EFhaSVRU>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 22:26:25 -0000

In article <CAD2i3WNSe+of7U8fdTnmUeU3sthUbpEVgdYHT9J6BgLxoeOL3w@mail.gmail.com> you write:
>5.1.2 says when a chain fails, to put cv=fail in the AS and only Seal the
>ARC Set being added.
>
>Per the original message and suggested text, I believe 5.1.2 should only
>provide the above guidance when it is not otherwise possible to sign the
>entire ARC Chain (i.e. when the Chain is structurally invalid and a
>deterministic set of headers cannot be enumerated).

I still have a question: if you have the right set of older headers,
you could sign them even if they're corrupted and the signatures are
invalid.  But if the old sets have extra or missing headers, you can
only sign your own set.

I think it's fine to sign and hope for the best, but how is a
validator supposed to tell the difference?  Perhaps we need something
like cv=restart.

R's,
John

v2.23.0 | Report a Bug | By Email