IETF Logo Mail Archive

Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Bron Gondwana <brong@fastmailteam.com> Tue, 15 August 2017 03:26 UTC

Return-Path: <brong@fastmailteam.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0E31324A8 for <dmarc@ietfa.amsl.com>; Mon, 14 Aug 2017 20:26:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=C2WrJk9j; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=p0zptvKk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WEz1x3hLigbe for <dmarc@ietfa.amsl.com>; Mon, 14 Aug 2017 20:26:41 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53AA21320CF for <dmarc@ietf.org>; Mon, 14 Aug 2017 20:26:41 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id C3D38209F9; Mon, 14 Aug 2017 23:26:40 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute6.internal (MEProxy); Mon, 14 Aug 2017 23:26:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=LOVwAo ztlvn2qtrdArVU2JqWcBSwwoZUxMjbsTozNV4=; b=C2WrJk9jTDOmGpML2Buk1e ZcMx7rhDkgPG0Hzkb3mvW8Lr7/i+dlWWuvKkyegHApGqmxyBbjK3n+cOcb+MPzuP 8vm0Hha6BEJgTdbIYFxaqFiC2s/bO7aarfYIl6XAu0L8NpKrU8Ji0LBCklWDP7vF fhtyg2iLSQdIDipEtVRSm1pokN1hsmwe5wlRxrmK1rmQAwFLElC+wVCRbK5LPoAT 3Tmz9cjD9T7yKMwfADOVIvIGjHQZSth7Jj8+sy/+ddqFLjepXqFfBcEc8sfEIqK+ j+EwgewA/4+5WlzDiri22VSX6NndLq9BkWJltMVccsuGbWdit52kcngWbLU47AVQ ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=LOVwAo ztlvn2qtrdArVU2JqWcBSwwoZUxMjbsTozNV4=; b=p0zptvKk/y00NdDa3H8wFO OQ+NbQY5ku7cJ75njRwFrXFmbDLi7a30BIhE5d5WxggmsYxJ5jitJ3jXM5JjOoGP VJ4eHIjXEUQFyLIp2XC1tqIRuOr+vvov+t/hUGXDKonDspmGiNnFA+gEHdqj72l0 9CsLG+ujFjV0IQXQZs1IhIAhW6FXextVvJ9kgOMvsbyPQfpiLMuXf2gmsh28IfS0 p2z7Vqft0/i8ME/z/xXbymcaMG2NZtXK2zHjeK1jYlBAGq6bIBG6GPiA3lTJm5M0 W9CIBJYbYtVKD1fslrb2woYixiAVqPYOs1aarM3GNDuoS0CwOcFXPNvpXK1KrRQA ==
X-ME-Sender: <xms:8GmSWScc4zOXSAylFWvXXzNffS3gECQirrACTFBF1BtC51qJ-fTlDQ>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 8E9439E264; Mon, 14 Aug 2017 23:26:40 -0400 (EDT)
Message-Id: <1502767600.1109836.1073601728.39EC6083@webmail.messagingengine.com>
From: Bron Gondwana <brong@fastmailteam.com>
To: Seth Blank <seth@sethblank.com>
Cc: dmarc@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_150276760011098360"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-ff6d44b3
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <CABa8R6uV=4Cc47zHtZtA-0WFVhuEYPAr3NTswzvF4H21tjfWTw@mail.gmail.com> <1502755921.1067004.1073467336.14612B87@webmail.messagingengine.com> <CAD2i3WMt+FL7J21diBBD_Qw88iGu5-PUhJcp3cGpFdF9qYhTew@mail.gmail.com> <1502760697.1080249.1073516280.7B4109C1@webmail.messagingengine.com> <CAD2i3WN9C8dm=TTVKTWW4NCwXy_Or-zj6uykV0HFTZ=4CBEpdQ@mail.gmail.com>
Date: Tue, 15 Aug 2017 13:26:40 +1000
In-Reply-To: <CAD2i3WN9C8dm=TTVKTWW4NCwXy_Or-zj6uykV0HFTZ=4CBEpdQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/pq98RHp9g0JQw2Ct6rSaU8_uH-Y>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 03:26:45 -0000

On Tue, 15 Aug 2017, at 12:59, Seth Blank wrote:
> 
>> 
>> "might be useful to someone at some point" - that kind of wooliness
>> is a crock, sorry.  Once  crypto doesn't validate it has no meaning
>> if all the data is present elsewhere - and everything that an AMS
>> claims except for the crypto over the message is duplicated in the
>> next hop's AAR.>> 
>> If that's not the case, we should fix it so that it is.
>> 
>> "see what ends up being useful after this is in the wild for a bit"
>> makes sense for informational records.  It doesn't make sense for
>> cryptographic data.  Either the crypto is sound and it means
>> something, or it's actively misleading.  A no-longer-validating AMS
>> contains nothing that the next hop's AAR doesn't contain.> 
> So there have been two years of discussion about this on the list,
> and the consensus was that ARC will include trace information - like
> all non-originating AARs - because that information might be
> interesting or useful to some party at some point. Google has many
> instances where a non-originating AAR has the information that
> matters to them. But the tl;dr here is simply that the decision was
> made at its inception to include extra information that might be
> helpful later, and that the working group wasn't open to re-
> evaluating that decision because the body of ARC was built on it. If
> that's the design decision, then we need to be consistent in its
> application - which means not throwing out excess data, especially if
> someone says "that might be valuable to me.">  

Yes, trace information is good.  I absolutely agree that you need to
keep all the AARs.
The problem with AS is that it's not trace information in any meaningful
way over time.  The AS only validates while that key is still published,
so it's not "forever".
(mind you, nothing validates forever, the AMSes only validate while they
key is still in DNS too)
The fact that there was an AMS gets captured in the next AAR.

>>  
>>>> I just had a really good chat with Seth on Skype half an hour ago
>>>> about this.  He was unable to find a case where having a full
>>>> AS,AMS,AAR adds any provable value over just checking the most-
>>>> recent AMS and having AAR signed.  I do like your proposal of
>>>> signing ALL the existing AARs, because they're the thing of value.
>>>> Old AMS have no value, and old AS have no value either so long as
>>>> you have a cv=pass on the current AS.>>> 
>>> That's not quite what I said ;-)
>> 
>> 
>> OK, did I misunderstand?
>> 
>> You  couldn't quote a case where AS,AMS,AAR adds provable value over
>> an AMS that signs the most recent AAR.  If you can find that case, I
>> will eat all my words, because I've spent a lot of time thinking
>> through the cases.>> 
>> I agree with what Brandon seemed to be saying above - that it should
>> be all the AAR being signed, not just the top one.  Otherwise an
>> intermediate could strip or modify earlier AAR without breaking the
>> authentication, and that would be bad.  Each AAR contains real,
>> valuable, meaningful data.> 
> I said the AS forces anyone who modified the chain to sign. In the
> obvious "all trusted" and "clearly untrusted" signers cases, the AS
> doesn't seem to add much value. But if a bad actor finds a way to send
> a chain through a good intermediary, then not having an AS would allow
> this message to be delivered. This is an edge case, and maybe doesn't
> matter - but the AS certainly protects against it.
Can you please expand on this point and show how the AS is protecting
against a bad actor sending a chain through a good intermediary.  I
really don't see it.  An example of AS protecting against a bad actor
here would totally blow my argument out of the water.
> 
> The spec already covers all AARs by the AS.
>  
>> 
>> 
>> As far as I see, we're quibbling over how much cryptographic
>> infrastructure is needed to maintain the integrity of the chain of
>> AAR headers.>> 
>> 
>>> If you throw old AMSs out, you cannot validate current ASs or walk
>>> the chain back.>> 
>> 
>> So what.  AS is bunk.
>> 
>> A current AMS over all AAR gives the same auditability, since AAR is
>> the only thing that has meaning.  AMS only has meaning while it still
>> validates, and AS only has meaning because it ties AMS and AAR
>> together.  Those meanings don't add value.  None of them mean jack
>> once you've been through an untrusted site, all previous headers are
>> suspect regardless of whether they have crypto that still validates,
>> unless that crypto covers facts about the message which we actually
>> care about.> 
> I thought our discussion ended with the AS adding an extra layer that
> was benign at worst, and protected against future unknown attacks at
> best. And your concern was the overhead of evaluating the AS on DNS,
> especially for long chains. I thought where we ended was your
> suggestion that the spec only requiring validation of the latest AS
> and AMS, and implementations MAY validate all AS's if they wish.> 
> If this is the case, then we can't throw out any AMS because none of
> the ASs would validate any longer.>  
>> 
>>> 
>>> I'll suggest language for stamping "first AMS failure", but we
>>> shouldn't strip old AMS/AS headers.>> 
>> 
>> This is where we disagree.  We shouldn't create AS headers in the
>> first place.> 
> This is 180 degrees from where we left off on the call. 

That is true.   We discussed an alternative world in which we keep the
AS but reduce the validation requirement.  That's my fallback position
if I can't convince people that AS is pointless.  It's not my preferred
position, which is where I went in response to Brandon's post.
>> We should have AMS sign all the AAR and that's it.  No AS, no need to
>> retain broken AMS.>> 
>> It gets you all the same machine readable chain of custody as
>> AS+AMS+AAR  in the unbroken case, and it breaks at the same place
>> with the same detectability in the fraudulent-actor case.> 
> I'll let someone who's more familiar with where ARC started from - my
> understanding was that ARC stemmed from something similar to AMS+AAR
> being insufficient, but I don't have enough context here to provide
> meaningful insight.
I would love to see that.

If you can show me a case where AS protects against a bad actor, and
where having the latest AMS signing all AAR doesn't provide equivalent
protection, I will eat a whole lot of crow and crawl back in my corner,
because I don't see it.
Bron.

--
  Bron Gondwana, CEO, FastMail Pty Ltd
  brong@fastmailteam.com

v2.23.0 | Report a Bug | By Email