IETF Logo Mail Archive

Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value

Peter Goldstein <peter@valimail.com> Mon, 27 March 2017 19:03 UTC

Return-Path: <peter@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E0B312957D for <dmarc@ietfa.amsl.com>; Mon, 27 Mar 2017 12:03:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.718
X-Spam-Level:
X-Spam-Status: No, score=-1.718 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekldKdfkKkhE for <dmarc@ietfa.amsl.com>; Mon, 27 Mar 2017 12:03:26 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 663E11294D3 for <dmarc@ietf.org>; Mon, 27 Mar 2017 12:02:48 -0700 (PDT)
Received: by mail-qk0-x22d.google.com with SMTP id d10so41298653qke.1 for <dmarc@ietf.org>; Mon, 27 Mar 2017 12:02:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZobVofhniP3NAI3ekbSooQSRV8nXUkhOcWL3oP8aaek=; b=anzE4Tkfn2gLe9C0BFmWAtLXZQxu/gzlp4XLqqL/mRhaHTBPjgaehsW90XGO/xQIoO CgnkbV5VuOtdBt++S+UT/SNPKt5w4r3cYSwHepFu6LQb1pEvQ6pIxZUHfr3ApUy0VxKI OmYdJqHcf5Ls4H9kEg/TqV6maFFnZmlPdpkjxhGm3qq12tj38LPGLKNV28+QUh3tO2St yhCeZuCjsASTNDGnlUHAyvK8K6bUpdN1cME3LDKNWiZQiRrisHxjpo1vWQXHcPbhcUUs AFkLnTw4rOB1uNZb0+C2SdL6BFZRp3Q3BQJmfcn1PKb3nn71g1eRaa1dXn5gHfF4Pmwz RZXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZobVofhniP3NAI3ekbSooQSRV8nXUkhOcWL3oP8aaek=; b=Ru7fw1cxkRk5XnzVpHddKDVv1XyZh7DvhhFLS6HIV9LjKUSxzhZ0RaieoUkQkK8YYz pFloW4X5gI/qO1oshwwrKq5afcPJLatkr4y3sbogOw4TmX+zFCkR+4PVTVUCd4Hsxb0Y bufgFlE6d2F01TMXVtSkUwZzbW40RdCIle5l4hBxBHv9M6dJ4HAxwNXnZDM1zX9X/Njk A6/rg8o+MMu95qbjOUXjseQRkoipScrNh2KgI3WVfnLylr64D/io7GN2NovbGIug1ptI sfD3gMLGJOgA8Yj7mKSeVrrnod3trW+bufM5rT8eG8pXDdR6rSxAfVoUmYqsLiKmrUQG Wu2w==
X-Gm-Message-State: AFeK/H1xqkNPPusAi0ABq9a1K/p6bx7IGksXKGwHrD91NqpT536qRKwxGCfsi9xj1hAyDMsu7ptY5wlw9ukUCg==
X-Received: by 10.55.214.26 with SMTP id t26mr15600475qki.16.1490641366551; Mon, 27 Mar 2017 12:02:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.141.207 with HTTP; Mon, 27 Mar 2017 12:02:46 -0700 (PDT)
In-Reply-To: <CABa8R6v5pcA2jXbt0mO2Ej553UmgwCbVANx9HT-rqi27Pmq_TQ@mail.gmail.com>
References: <CANtLugO_D1Mz_v_341pc5O1mZ7RhOTrFA3+Ob5-onp72+5uRfA@mail.gmail.com> <20170324212304.85346.qmail@ary.lan> <CANtLugOK4tXqA3ztYwchYsc8+t6KhyNj6mvgEu2wzvwKm_rK7A@mail.gmail.com> <alpine.OSX.2.20.1703262130330.4114@ary.local> <CAOj=BA1ruma6dp1CQht8sgYQ-xqGGE2a=R7=+DkXmaft8td2hw@mail.gmail.com> <CABa8R6v5pcA2jXbt0mO2Ej553UmgwCbVANx9HT-rqi27Pmq_TQ@mail.gmail.com>
From: Peter Goldstein <peter@valimail.com>
Date: Mon, 27 Mar 2017 12:02:46 -0700
Message-ID: <CAOj=BA338rBMyQgSSz=usNi7s9L1ShO28nMSPmhYqzZ1oOKGzA@mail.gmail.com>
To: Brandon Long <blong@google.com>
Cc: dmarc <dmarc@ietf.org>, Gene Shuman <gene@valimail.com>, John R Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="001a1149dfbe248eca054bbafd6a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/rC6GUM2YmXfrAYjwATfTycLGmR8>
Subject: Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 19:03:30 -0000

Brandon,

How do you validate that the signature verifies?  To do that you need an
entire ARC implementation that is packaged within the test suite (and the
ability for it to run as a service, or make it available in some way to
implementations being tested that are written in different languages).
That's the whole point.

The tests under discussion are validating that with assorted inputs
(original message, DNS configuration, etc.) an ARC implementation produces
a valid output message (correct ARC seal, ARC chain, etc.).  Essentially
we're looking at testing that:

SIGN(INPUTS) => OUTPUT MESSAGE

With the canonicalization being proposed, the OUTPUT MESSAGE becomes a
deterministic result, and verifying it becomes a matter of string
comparison.  This is the success criterion:

OUTPUT MESSAGE == EXPECTED MESSAGE

Without the canonicalization being proposed, it will be necessary to run
verification on the OUTPUT MESSAGE to assess whether the test gives the
expected results for a generic implementation.  In that case this is the
success criterion:

ARC_VALIDATION(OUTPUT MESSAGE, INPUTS) == EXPECTED_ARC_STATE(INPUTS)

We can't use the ARC validation implementation for the library under test,
because it may share bugs with the signing side.  Instead we'll need to
have a bundled ARC validaiton with the test suite.

Does that make sense?

Best,

Peter





On Mon, Mar 27, 2017 at 11:06 AM, Brandon Long <blong@google.com> wrote:

> What does validating the exact signature generated benefit us over just
> verifying that the signature verifies?
>
> I haven't looked at what the tests are for signing, though given the
> descriptions  for the verifying tests, I'm not sure it would be obvious.
> Can you summarize them?
>
> Brandon
>
> On Mar 26, 2017 9:26 PM, "Peter Goldstein" <peter@valimail.com> wrote:
>
>> John,
>>
>>
>>> I have to say I don't find that very persuasive.  It's not hard to write
>>> test code that checks for the hashes and fields in a signature header
>>> without regard to what order they're in.  I would rather write better test
>>> code than add fragile extra cruft to every ARC implementation.
>>
>>
>> I honestly find this response a little unpersuasive  :).  There are two
>> points I'd like to raise.
>>
>> First, the idea that locking down the format of the signature adds
>> 'fragile extra cruft' seems off to me.  On the contrary, the suggestions in
>> this thread reduce fragility - by requiring that the set of signed fields
>> (ARC Message Signatures, ARC Seals) meet a well-defined, strict, and
>> trivially verifiable format.  This is fairly standard practice in video,
>> security, etc. protocols - every field has a place, and large scale
>> re-ordering/re-formatting is not permitted unless there's a compelling
>> technical reason.
>>
>> I'm not sure why there's a perceived value in accommodating ambiguity
>> here - this is a brand new standard with a limited number of actual
>> implementers.  There's no random person not on this list implementing ARC
>> (especially given the standard isn't finalized).  And if there is, the
>> whole idea of providing a globally usable automated test suite is to ensure
>> that person can easily validate that their implementation will interoperate.
>>
>> Second, the premise that "it's not hard to write test code..." is simply
>> not true.  What would be required to actually write such code would be
>> either a) pick a preferred ordering/formatting for these tags, and only
>> have the tests pass for that ordering or b) include a complete ARC
>> verifying system in the test code.  The first is what OpenDKIM did for its
>> specs (see below).  The latter is possible, but seems ill-advised for a
>> test suite.
>>
>> To see that this is the case, it's useful to look at two earlier email
>> standards and their corresponding test suites.  SPF has a language-agnostic
>> test suite (http://www.openspf.org/Test_Suite) that makes it easy to
>> test implementations in any language.  I've done it myself, and it requires
>> minimal effort - https://github.com/ValiMail/
>> coppertone/tree/master/spec/open_spf.  I can tell you from personal
>> experience that the test suite was really helpful in ensuring the
>> implementation was correct in all cases.
>>
>> There is no corresponding test suite for DKIM, and the ambiguity in
>> tag/value ordering is the fundamental reason why.  The closest we come are
>> the tests for OpenDKIM.  If you examine the signing tests for OpenDKIM,
>> it's clear that they fail your "not hard" requirement.  I can write a
>> perfectly valid, legal DKIM signing implementation that will fail all of
>> OpenDKIM's signing tests, because OpenDKIM has a preferred ordering and
>> formatting for tags.
>>
>> The OpenDKIM signing tests all check that OpenDKIM produces a signature
>> header matching a constant string that embodies this preferred ordering.
>> Any implementation that uses a different ordering/formatting will obviously
>> fail.  Changing the tag ordering/formatting changes the hashed value in the
>> header, so it's not just a matter of parsing some tag/value pairs.  And so
>> short of a full DKIM verification implementation it's impossible to make a
>> generic test suite that accepts all legal implementations.
>>
>> Frankly, this is somewhat unfortunate.  But DKIM is a relatively simple
>> protocol.  ARC is more complicated, with multiple levels of signatures and
>> more complex state.  Given the substantially more complicated nature of
>> ARC, it's desirable to have a test suite that will pass any legal
>> implementation.  Interops are great, but I'd take a bulletproof test suite
>> over an interop any day of the week.
>>
>> I won't be at the IETF meeting this week, but I'd be happy to dive into
>> this in more detail over email or phone if it's helpful.
>>
>> Best,
>>
>> Peter
>>
>> On Sun, Mar 26, 2017 at 7:32 PM, John R Levine <johnl@taugh.com> wrote:
>>
>>> It's even more important than it was with DKIM to have a test suite that
>>>> can verify signing behavior.  If we don't agree on any sort of
>>>> standard, a
>>>> test suite will need to select a preferred format for the ARC headers &
>>>> will fail all implementations that don't meet this form.  We've
>>>> discussed
>>>> this with Murray, and he agrees with this conclusion.
>>>>
>>>
>>> I have to say I don't find that very persuasive.  It's not hard to write
>>> test code that checks for the hashes and fields in a signature header
>>> without regard to what order they're in.  I would rather write better test
>>> code than add fragile extra cruft to every ARC implementation.
>>>
>>> As it happens, the IETF is meeting this week in Chicago, and I expect
>>> I'll see Murray in the next day or two so I can talk to him directly.
>>>
>>>
>>> R's,
>>> John
>>>
>>> _______________________________________________
>>> dmarc mailing list
>>> dmarc@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>
>>
>>
>>
>> --
>>
>>
>> [image: logo for sig file.png]
>>
>> Bringing Trust to Email
>>
>> Peter Goldstein | CTO & Co-Founder
>>
>> peter@valimail.com
>> +1.415.793.5783 <(415)%20793-5783>
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
>>


-- 


[image: logo for sig file.png]

Bringing Trust to Email

Peter Goldstein | CTO & Co-Founder

peter@valimail.com
+1.415.793.5783

v2.23.0 | Report a Bug | By Email