Re: [dmarc-ietf] Benjamin Kaduk's Discuss on draft-ietf-dmarc-eaiauth-04: (with DISCUSS and COMMENT)

Scott Kitterman <sklist@kitterman.com> Fri, 05 April 2019 18:20 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 034EE1205D2 for <dmarc@ietfa.amsl.com>; Fri, 5 Apr 2019 11:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=VoXW3dFN; dkim=pass (2048-bit key) header.d=kitterman.com header.b=HeU6unev
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5uO7uhvUdAi7 for <dmarc@ietfa.amsl.com>; Fri, 5 Apr 2019 11:20:26 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 373DA1203F6 for <dmarc@ietf.org>; Fri, 5 Apr 2019 11:20:26 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id A337FF8081F for <dmarc@ietf.org>; Fri, 5 Apr 2019 14:20:24 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1554488424; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=m5HQbweKzFXZaW5cYtat3Mj+f56GqHr9KhpVRyQNiao=; b=VoXW3dFN+KHFNLr9lBAc23tt4VPjbqYMT7lkluYhtHCWVQ0h52ZjwaLV toyimvBxDWsTZCzU98Kc+DMVfChZAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1554488424; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=m5HQbweKzFXZaW5cYtat3Mj+f56GqHr9KhpVRyQNiao=; b=HeU6unevDALuITekbX6qYKRnjLs3vpS+RcaptnmlDZ8o650VXEwzcR2I LXsupJeUgllgwkWX7O/IcREmPU7hgl6J8BrHBRngliC8A0pjYj/ZjTXbm8 B8vF0wYx+KaBE2Cc3NhJxkS95PQAXWVFrnJ83gtHfR2PKinoOdYrQ+DKpd TP60df7l7iQu95yPh826b+94xc/FwH5+oXYzONWicmvnbzLZYR+monQJ17 Rr8pm1wu8R+vNBq31vYp4hRinDxF3O1966y86vOZpS60cNIsDRiTycvWDT ePDAgoDhBQN6V36+K0xWySHFuY/N/3TUPRxZd27GE1x7Xp0XFnt75w==
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 73459F80053 for <dmarc@ietf.org>; Fri, 5 Apr 2019 14:20:24 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Fri, 05 Apr 2019 14:20:23 -0400
Message-ID: <14007257.XvzNgCV7GG@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-164-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <155448515761.10017.3964878632140323988.idtracker@ietfa.amsl.com>
References: <155448515761.10017.3964878632140323988.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ph76n7O8K6QSDX9ibvURnxanMGQ>
Subject: Re: [dmarc-ietf] Benjamin Kaduk's Discuss on draft-ietf-dmarc-eaiauth-04: (with DISCUSS and COMMENT)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2019 18:20:28 -0000

On Friday, April 05, 2019 10:25:57 AM Benjamin Kaduk via Datatracker wrote:
> I'm not sure I fully understand the security consequences of causing
> the SPF macros %{s} and %{l} to never match when the local-part contains
> non-ASCII characters, but they seem potentially quite bad.  That is, if
> the policy is intending to limit allowed senders to a specific list (or
> block specific senders), would an attacker be able to avoid the
> restriction by using a non-ASCII local-part?

For the working group's consideration:

I think this part of the discuss is a result of the draft appearing to specify 
a change in behavior for SPF, when all it's really doing is documenting the 
consequences of how EAI, SPF, and DNS interact.

There's no change in security considerations because there's no change in the 
protocol.  We're merely more clearly documenting the interaction.  I'll leave 
it to the chairs/author/shepherd to decide how to respond to the discuss, but 
I think "we're just documenting how it implicitly works" is a more likely road 
to success than "meh, no one really uses that".

Scott K