Re: [dmarc-ietf] Sibling Authentication
Douglas Foster <dougfoster.emailstandards@gmail.com> Sat, 03 June 2023 02:00 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56B1AC151709 for <dmarc@ietfa.amsl.com>; Fri, 2 Jun 2023 19:00:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.084
X-Spam-Level:
X-Spam-Status: No, score=-7.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_PDS_PRO_TLD=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BPjJCyZgaD40 for <dmarc@ietfa.amsl.com>; Fri, 2 Jun 2023 19:00:00 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21779C14CF1D for <dmarc@ietf.org>; Fri, 2 Jun 2023 19:00:00 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id 2adb3069b0e04-4f3a99b9177so3773617e87.1 for <dmarc@ietf.org>; Fri, 02 Jun 2023 19:00:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1685757597; x=1688349597; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=MonO69C1sX9zq4E/sO+gOb4S+Bhcmmle8Cv/hxmZZDw=; b=iHeP48FiNe8w57CrBa6B40u1aaaR8a15PaTEUAQXUEvdR5re5et53dM/Bh43Xs69TD fXPMoXfUqDfcdH/quS9rN0rsDlbDH1abniKgAx/BR3huXvc6jtHHEFF1gkunmQS5hV5v QOsUHOmN6wnspd20FhxRU1pjxFJ0iVKJtzUnF1vY2iInCxVysJIklhPXXqjjCTjiwMv5 d5q5dPQEmLfrDTTjeZw+JnIl/FPquw0ZoUSocID+fLwEXAsFs4lQrzu+4gl2CL6TMiRW uEJaWNRcSaak9uL7knVuFL1jE/Y5mE344XkvFBFU6r91FiKCQpU5JCzN8oa25LWJfa9m nb1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1685757597; x=1688349597; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=MonO69C1sX9zq4E/sO+gOb4S+Bhcmmle8Cv/hxmZZDw=; b=ELLgsdLQK+pQTolFwE6zQD0uXaBZV1e7HWjDosBih+YM9qu2BnwV19DvHNhH7UmUfg SHM3hYQlYtAWh8fk0wXlXjqfKOwWUQvgDSP18kWJNW+LtWlcj+df2dOQdnukVmBpXh8U xVMwjSvM8nIY+Z6XwqJQmthOZu1NTpMTrbr+pJSvaVfzJJ6ZvLP6WbWoC5rIkytB4llr oiB0icjDFqRoRD1QPeByX1X66nUlm0aXzHdKwAvAiwO+F0yRXMG8OFHAQyoXctAJh2is 1YOZyA2t4zKbwfY9w+Cttt2Zp62g1Hq+d2oKVMyxEZ+sT/8yl0W78+WKoLrxOPIaRPko Ky5A==
X-Gm-Message-State: AC+VfDz/ECE/KyNYPcUmzQSyCWMFvn3Cs2pLCplCrnsxUp9TffZSSQGD 058I7iZavdKpGU3xvWDANP+kvKLyQ/KiLLINFSuMJDkRxwM=
X-Google-Smtp-Source: ACHHUZ5ae9dI5/uhVC9DOkoeNun+0Tl5RAzuHaRMEbe7SbzelKkWU31VpJ61Wt2T5tJ/kQELWfWgNvqVG+QK4G2z9Dw=
X-Received: by 2002:ac2:599d:0:b0:4f3:a44d:6982 with SMTP id w29-20020ac2599d000000b004f3a44d6982mr2693506lfn.45.1685757596309; Fri, 02 Jun 2023 18:59:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfym2GqK4XWaavVykoqfiscZms9CBUzuY9cg=98WS4Aipg@mail.gmail.com> <CAL0qLwauFLwWr0SMOLjZ-Ec6Svmw893qJr=y-4WxBFLFdmSKJA@mail.gmail.com>
In-Reply-To: <CAL0qLwauFLwWr0SMOLjZ-Ec6Svmw893qJr=y-4WxBFLFdmSKJA@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 02 Jun 2023 21:59:46 -0400
Message-ID: <CAH48ZfyAGn_O+3uHzAWYmj1DOj_4O3OL+4jhpJh6L2Xc3MfeVA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b49ce105fd300623"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/qrzE0QcFOH9187gOtTID4bgyjVY>
Subject: Re: [dmarc-ietf] Sibling Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jun 2023 02:00:05 -0000
To one of Murray's questions, below is a repost of the list that I pulled out of DNS a long time ago - PSL entries (without internationalization) that had a DMARC policy Of the 45 names, a few specify strict, a few specify relaxed, one is mixed, and most do not specify an alignment policy. Back when we thought this process would finish in our current century, Scott volunteered to hunt down these domain owners prior to publication. It could still be done, and the problem could reoccur. I am all for finishing, if we can do it well. To Murray's definition question, the sibling alignment problem occurs when a PSL or private registry has a DMARC policy with relaxed alignment. Call it privateregistry.com It either does not have a PSL=Y term or the evaluator does not know to look for the PSL=Y term. Additionally, client1.privateregisry.com does not have a DMARC policy (or the PSL incorrectly fails to list the private registry) and client2.privateregistry.com signs with his own domain to impersonate FROM= user@client1.privateregistry.com The PSL problem and this tree walk problem are essentially the same risk.. Axiom's matter. We have reached this point by assuming that the entire relaxed alignment regime had to be preserved, and the only way to solve the PSL problem was to create lesser problems. The PSL problem primarily matter because sibling alignment exists. If we drop sibling alignment in favor of vertical alignment, we solve the primary problem and the PSL matters very little. So the question becomes whether sibling alignment is needed. My data says "No". Does anyone else have data to contribute? We are on at least the third design. None have been supported with data. I have never considered any of them to be designed in a way that will be viable, so it seemed necessary to go on record that I will be voting No when the time comes to vote. You can plan around me that way. Doug The list: _dmarc.0emm.com,v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com _dmarc.adobeaemcloud.com,v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto: adobe@rua.agari.com; ruf=mailto:adobe@ruf.agari.com; fo=1 _dmarc.amazonaws.com.cn,v=DMARC1; p=quarantine; pct=100; rua=mailto: report@dmarc.amazon.com; ruf=mailto:report@dmarc.amazon.com _dmarc.appspot.com,v=DMARC1; p=reject; rua=mailto: mailauth-reports@google.com _dmarc.bytemark.co.uk,v=DMARC1; p=none; rua=mailto: mailauth-reports@bytemark.co.uk _dmarc.cloudapps.digital,"v=DMARC1; p=reject; fo=1; rua=mailto: dmarc-groups-test@digital.cabinet-office.gov.uk, dmarc-rua@dmarc.service.gov.uk;ruf=mailto: dmarc-groups-test@digital.cabinet-office.gov.uk, dmarc-ruf@dmarc.service.gov.uk" _dmarc.cloudplatform.fi,v=DMARC1; p=none _dmarc.ddnss.de,v=DMARC1; p=reject; rua=mailto:service@ddnss.de; ruf=mailto: service@ddnss.de; fo=1; ri=1; adkim=r; aspf=s _dmarc.dnstrace.pro,v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; _dmarc.eu.org,v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-master@eu.org ;ruf=mailto:dmarc-master@eu.org _dmarc.fastly.net,v=DMARC1; p=quarantine; rua=mailto: mailauth-reports@fastly.com _dmarc.fedoraproject.org,v=DMARC1; p=none; rua=mailto: dmarc-admin@fedoraproject.org; ruf=mailto:dmarc-admin@fedoraproject.org; fo=0 _dmarc.funkfeuer.at,v=DMARC1; p=none _dmarc.gateway.dev,v=DMARC1; p=reject; rua=mailto: mailauth-reports@google.com _dmarc.gov.scot,v=DMARC1;p=none;sp=none;fo=1;rua=mailto: dmarc-rua@dmarc.service.gov.uk;ruf=mailto:dmarc@gov.scot _dmarc.gov.uk ,v=DMARC1;p=reject;sp=none;np=reject;adkim=s;aspf=s;fo=1;rua=mailto: dmarc-rua@dmarc.service.gov.uk _dmarc.hosteur.com,v=DMARC1; p=none; rua=mailto:postmaster@hosteur.com _dmarc.interhostsolutions.be,v=DMARC1; p=none; rua=mailto: dmarc@xmdud94q.uriports.com; ruf=mailto:dmarc@xmdud94q.uriports.com; fo=1:d:s _dmarc.jelastic.com,v=DMARC1; p=none; rua=mailto:dmarc-reports@jelastic.com _dmarc.lcl.dev,v=DMARC1; p=none; pct=100; rua=mailto:systems?dmarc@clerk.dev; ruf=mailto:systems?dmarc@clerk.dev; fo=1; ri=3600; _dmarc.lclstage.dev,v=DMARC1; p=none; pct=100; rua=mailto:systems? dmarc@clerk.dev; ruf=mailto:systems?dmarc@clerk.dev; fo=1; ri=3600; _dmarc.linode.com,v=DMARC1; p=reject; sp=quarantine; pct=100; rua=mailto: 813b13d662ad87bb7b1b73ca4a1da967-d@dmarc.report-uri.com _dmarc.magentosite.cloud,v=DMARC1; p=reject; sp=reject; pct=100; rua=mailto: adobe@rua.agari.com; ruf=mailto:adobe@ruf.agari.com; fo=1 _dmarc.massivegrid.com,v=DMARC1;p=none;pct=100;ri=86400;rua=mailto: dmarc@massivegrid.com _dmarc.my.id,v=DMARC1; p=quarantine; rua=mailto:abuse@my.id; _dmarc.ovh.net,v=DMARC1; p=none; rua=mailto:dmarc?.net@abuse.ovh.net; rf=afrf; pct=100; _dmarc.panel.gg,v=DMARC1; p=none; pct=100; rua=mailto:re????@ dmarc.postmarkapp.com; sp=none; aspf=r; _dmarc.platform.sh,"v=DMARC1;p=none;sp=none;rua=mailto: 3eca85e316@rua.easydmarc.eu,mailto:dmarc-rua@platform.sh;ruf=mailto: 3eca85e316@ruf.easydmarc.eu,mailto:dmarc-ruf@platform.sh;fo=1" _dmarc.prgmr.com,v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto: postmaster@prgmr.com _dmarc.pstmn.io,v=DMARC1; p=quarantine; pct=100; rua=mailto: dmarc@postman.com; ruf=mailto:dmarc@postman.com; _dmarc.pythonanywhere.com,v=DMARC1; p=none; rua=mailto: support@pythonanywhere.com _dmarc.quipelements.com,v=DMARC1;p=reject _dmarc.render.com,v=DMARC1; p=none; pct=100; rua=mailto:re????@ dmarc.postmarkapp.com; sp=none; aspf=r; _dmarc.rit.edu,v=DMARC1; p=none; fo=1; rua=mailto:dmarc@rit.edu; ruf=mailto: dmarc@rit.edu; adkim=r; aspf=r; pct=100; _dmarc.run.app,v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com _dmarc.scaleforce.net,v=DMARC1; p=quarantine; rua=mailto: dmarc@scaleforce.net; ruf=mailto:dmarc@scaleforce.net; sp=quarantine _dmarc.stdlib.com,v=DMARC1; p=quarantine; pct=100; rua=mailto:jacob?@ stdlib.com _dmarc.stg.dev,v=DMARC1; p=none; pct=100; rua=mailto:systems?dmarc@clerk.dev; ruf=mailto:systems?dmarc@clerk.dev; fo=1; ri=3600; _dmarc.stgstage.dev,v=DMARC1; p=none; pct=100; rua=mailto:systems? dmarc@clerk.dev; ruf=mailto:systems?dmarc@clerk.dev; fo=1; ri=3600; _dmarc.transurl.be,v=DMARC1; p=reject; _dmarc.transurl.eu,v=DMARC1; p=reject; _dmarc.transurl.nl,v=DMARC1; p=reject; _dmarc.unispace.io,v=DMARC1; p=none; rua=mailto:dmarc-reports@unispace.io; _dmarc.virtualcloud.com.br,v=DMARC1; p=none; rua=mailto: dmarc@zcs.jetmailx.com.br; ruf=mailto:dmarc@tavola.com.br; rf=afrf; sp=none; fo=0:1:d:s; pct=100; ri=86400; aspf=s _dmarc.wafaicloud.com,v=DMARC1;p=none;pct=100;rua=mailto: admin@wafaicloud.com;ruf=mailto:admin@wafaicloud.com On Thu, Jun 1, 2023 at 10:02 AM Murray S. Kucherawy <superuser@gmail.com> wrote: > On Thu, Jun 1, 2023 at 4:03 AM Douglas Foster < > dougfoster.emailstandards@gmail.com> wrote: > >> I cannot support the current draft because it creates new problems >> without sufficiently solving the old ones. >> >> The PSL is subject to two types of errors: >> - Landing too high, causing False Pass on non-affiliated domains >> - Landing too low, causing False Fail or False NoPolicy on domains that >> are actually affiliated. >> False Pass presents the greater threat. While it could occur on any type >> of non-strict alignment, the primary concern is False Pass on sibling >> alignment. >> [...] >> > > Can you please define, or give an example of, "sibling alignment"? My > understanding of "sibling" in a tree structure is two or more nodes at the > same level with a common parent. In that sense, twitter.com and > facebook.com are siblings. In the DMARC environment, how could one align > with the other? Or is your claim that they could align if, say, ".com" > chose to assert policy about them and they omit to assert their own? > > The bottom-up-first-stop tree walk attempts to solve the problem of False >> Pass by using an algorithm that will often land too low, causing False Fail. >> > > Can you give an example of this? > > >> Nonetheless, it fails to solve the whole problem because evaluators are >> still at risk from private registries that publish a DMARC policy with >> strict alignment but without a PSD tag. The proposed tree walk has other >> problems, because it changes an organization's relaxed alignment boundary >> every time that a policy is added or removed. >> > > And this? > > >> As long as the parent-child and child-parent forms of relaxed alignment >> are permitted, we need an explicit tagging mechanism which gives the domain >> owner full control over alignment boundaries and eliminates uncertainty >> about the domain owner's intent. Parent-child and child-parent >> authentication will be important for as long as SPF-alignment is >> necessary. For DKIM signatures, I am not convinced that relaxed alignment >> should be necessary even though it has some current use because it is >> allowed. >> > > An example here would really help. > > -MSK, participating >
- [dmarc-ietf] Sibling Authentication Douglas Foster
- Re: [dmarc-ietf] Sibling Authentication Murray S. Kucherawy
- Re: [dmarc-ietf] Sibling Authentication Barry Leiba
- Re: [dmarc-ietf] Sibling Authentication Douglas Foster