[dmarc-ietf] Authentication of reports

Michael Thomas <mike@mtcc.com> Wed, 20 January 2021 21:21 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D1713A14FE for <dmarc@ietfa.amsl.com>; Wed, 20 Jan 2021 13:21:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.751
X-Spam-Level:
X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.248, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6dtgi12ZplyH for <dmarc@ietfa.amsl.com>; Wed, 20 Jan 2021 13:21:24 -0800 (PST)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2602D3A14C2 for <dmarc@ietf.org>; Wed, 20 Jan 2021 13:21:24 -0800 (PST)
Received: by mail-pj1-x102b.google.com with SMTP id m5so3027989pjv.5 for <dmarc@ietf.org>; Wed, 20 Jan 2021 13:21:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=G4OEIiD4NlCWS7DVUZ50D/k1UnOemAhLvTDoYJhpq3k=; b=W8RCaE8L0vksBfFxiGFjRRV78w0qYkIcOzMlKFzSVm6K4NHit5E8DKfVNLqGJOagL4 zN4d8zEHlZMz5+VfbaHw3vaMpv3YNMtl1XCzhvgqRm0Bzes1gPFNy5rAGRtmInj1kWef Kaaic8wwBA4lfeFx8WNp4fln2ZOI6+pzApQwXzetA2FCvn/wyh6f4B+6JE1Jd5yLYiqB VNtvGO7OE7HA51ksT65to42+PWwTjq4CzgdnW0WKYBv3BhjtgPkgWeGpQGXgM6ajciJU 36EMa1AO9mCp2T61zo+LzykMBoQj4ko/SOtzsY4b1Yd7PGCIx5E3T+wirFg3cdIByYMn JwkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=G4OEIiD4NlCWS7DVUZ50D/k1UnOemAhLvTDoYJhpq3k=; b=b6va332jQnO4BPPZlEHhrYO9FGUoEE1Nx9JfOfzNpk6UKtojbuekx9NprHzoaQLlF8 f0cN0cS9OPgzRp1h+qWE34m7BJyIYLLK+XprFBz01YL9qQfT+4eEkNF/5V5FIikEeUbw pmwE2cRaldhnSXyVbCxlQOXeokJjlrvz228EnudTqqx1BKTUqBWW9QYcfj7efnKM+3SF AhH7FH6yMdTdqI8YvR2ew061OF34fuRk0q87SeM0tNm/29q0Y74PnNlVxpPiephV0koJ sV9sdeCqJswTb6n11F8/+/ojW5/qDphZR3xeGSARSe4rPu+zLY6XK/Gn9URs5Xh42Y6P 9L8Q==
X-Gm-Message-State: AOAM531+KqlnwKzsdYbNnRd3iSvQhCXcqQWQTrTZfqA6or21BM3idH6s eRQoTWWI2qcITN/iTTDoKnpkkPEEc4tZKA==
X-Google-Smtp-Source: ABdhPJz3yBWHahIM7du0eDlnTlwkoapj0i4Xit2T8nr4Pvbs6hSXgxZIFFVtRRHHD6R9FJ+gQUcIHg==
X-Received: by 2002:a17:90a:7f8f:: with SMTP id m15mr160692pjl.214.1611177683101; Wed, 20 Jan 2021 13:21:23 -0800 (PST)
Received: from mike-mac.lan (107-182-35-22.volcanocom.com. [107.182.35.22]) by smtp.gmail.com with ESMTPSA id d4sm3244339pfo.127.2021.01.20.13.21.22 for <dmarc@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 20 Jan 2021 13:21:22 -0800 (PST)
To: "dmarc@ietf.org" <dmarc@ietf.org>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <af4c2a23-4a55-9103-487c-72a394fa594f@mtcc.com>
Date: Wed, 20 Jan 2021 13:21:21 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/raKUOp-kYwGEbZDUlgJ8-kDjv2E>
Subject: [dmarc-ietf] Authentication of reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2021 21:21:25 -0000

I just scanned through DMARC and I couldn't find any security 
requirements/mechanisms for the failure reports. I would think at the 
very least the receiver consuming the reports ought make certain that 
the report at the very least have either a valid DKIM signature or a SPF 
pass. Unauthenticated data is always the source of mischief, and I'm 
sure that there have to be attacks that are possible with 
unauthenticated reports. At the very least this should be a security 
consideration, and most likely should have some normative language to 
back it up.

Since I'm sort of new, it's been unclear to me whether whether having a 
new https transport mechanism is in scope or not -- it seems to come up 
pretty often -- but I'm not sure how people would propose to 
authenticate the report sending client. That seems to me to be a basic 
security requirement for any new delivery method. The problem here is 
there isn't a client certificate to determine where the report is coming 
from or any other identifying mechanism. An alternative might be to DKIM 
sign the report itself, but the long and short is that it would need to 
be addressed.

Mike