IETF Logo Mail Archive

Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value

Peter Goldstein <peter@valimail.com> Tue, 28 March 2017 00:24 UTC

Return-Path: <peter@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 698CE1296D5 for <dmarc@ietfa.amsl.com>; Mon, 27 Mar 2017 17:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.718
X-Spam-Level:
X-Spam-Status: No, score=-1.718 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hhNfkYmAQKC7 for <dmarc@ietfa.amsl.com>; Mon, 27 Mar 2017 17:24:11 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E22131296C7 for <dmarc@ietf.org>; Mon, 27 Mar 2017 17:24:10 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id d10so47395352qke.1 for <dmarc@ietf.org>; Mon, 27 Mar 2017 17:24:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+ETGHwH3oukAjuRvSGFTCSyWnNMTbaeo8rHjliZb2l0=; b=Qejg2C+PNFi5YDo2lFkBj/K8exk/XsyM5tTnlY1Hx5Cs0nvGmgdJ9zjrqWLBZ9+kox NafwHjRxAQZZ1EMieNNhy/hfc8gxHZvX4ePeIabIQ9N9h0k3OBbCdvlKQG/mxV/5D2uU hj76MObAYkWodJIDZ7PM66Yt1dXsHLWZD5IUm0j2IxqtdauXnydJNzETEFi02PhN7xj2 ebkXccq5egyrgy8dlZ7Z750f1g14O8HWYq3Tt20LwPvjSEl4DzHWlqpa1w5+nNiGjAiD YgPD8KyiU8a4xF8nnDr6K/XK2h8+TDUKY5eaUhTXTqXPdkst7pc9OXmHSPpmoMusj8Hm rEEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+ETGHwH3oukAjuRvSGFTCSyWnNMTbaeo8rHjliZb2l0=; b=PnVsex7VIIe7SUo/ULaHt8nGr9C+zym2eA5X0v8daUsJ+iy1zfanW6IjIhnk+ySB7Z /7BS/ei9laZRVVBsD1w3CInY8ZUXWDIg1ppzo74Tn99xf4HIiPNce2DjgzNymXaZ+p5s u0Cefsd0pgfBbulxm+aAZb5a/2zwo5Zb2lgUTd8rVwhPDl08FBFj/xQJCZT77uroepoX ys2Cf6N48MPHNRaUk+v+2HNsmqyxAjH/iNuM5+mlw+WmcrO9y/czp7JSwLS4wAdOAjA1 gCqkj/gTN4OKw39QqE1A7keSNnXuCGBsww1uEfbQAw+LdYcPegU+56lTytihBpkjiFJE GlAA==
X-Gm-Message-State: AFeK/H1SZcN53l0bl7WGTez5Q+ac6mnU7Oy6CWgUSY9dTmd5OUwcnHemZX7Xz9SNHD3bebaibtJ6m0/4KOeDFQ==
X-Received: by 10.55.170.143 with SMTP id t137mr21701631qke.303.1490660649770; Mon, 27 Mar 2017 17:24:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.141.207 with HTTP; Mon, 27 Mar 2017 17:24:09 -0700 (PDT)
In-Reply-To: <CABa8R6umhETEP-B2--EwjZueE10FgAz+L_1rxUw1-Q9QP+rtKg@mail.gmail.com>
References: <CANtLugO_D1Mz_v_341pc5O1mZ7RhOTrFA3+Ob5-onp72+5uRfA@mail.gmail.com> <20170324212304.85346.qmail@ary.lan> <CANtLugOK4tXqA3ztYwchYsc8+t6KhyNj6mvgEu2wzvwKm_rK7A@mail.gmail.com> <alpine.OSX.2.20.1703262130330.4114@ary.local> <CAOj=BA1ruma6dp1CQht8sgYQ-xqGGE2a=R7=+DkXmaft8td2hw@mail.gmail.com> <CABa8R6v5pcA2jXbt0mO2Ej553UmgwCbVANx9HT-rqi27Pmq_TQ@mail.gmail.com> <CAOj=BA338rBMyQgSSz=usNi7s9L1ShO28nMSPmhYqzZ1oOKGzA@mail.gmail.com> <CABa8R6umhETEP-B2--EwjZueE10FgAz+L_1rxUw1-Q9QP+rtKg@mail.gmail.com>
From: Peter Goldstein <peter@valimail.com>
Date: Mon, 27 Mar 2017 17:24:09 -0700
Message-ID: <CAOj=BA20K15MBvGqUuaoDOibV3FZ9MWgH67Qqnd9_EX-uQtEhQ@mail.gmail.com>
To: Brandon Long <blong@google.com>
Cc: dmarc <dmarc@ietf.org>, Gene Shuman <gene@valimail.com>, John R Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="94eb2c05d99a82bfe8054bbf7a95"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ra_lN6sgTMYXxXA0JNmMKWMZ3z8>
Subject: Re: [dmarc-ietf] indeterminisim of ARC-Seal b= value
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 00:24:16 -0000

Sure, generating the output message requires an ARC implementation.  Same
as generating a DKIM signature for validation requires an actual DKIM
implementation.  Or generating an SPF result for a complex situation
generally requires an actual SPF implementation.  Or generating an
ARC-signed input message for the verifying side of the test suite requires
some sort of ARC signing implementation.  But I wouldn't agree with the
inference that "we're testing against an unknown impl that we can't
validate is correct" in any of these cases.

The validity of the test suite derives from the fact that:

1. It was constructed from the RFC, and is built to cover a reasonably
comprehensive set of cases - more complete than any individual developer is
likely to consider.
2. While the output may have been generated with a particular
implementation, the test suite should be validated against a number of
independently developed implementations.  That ensures correctness, and
surfaces discrepancies which may represent ambiguities in the specification
and/or errors in the test suite or one or more of the implementations.
3. Once N implementations have validated, the N+1th implementation is
guaranteed a high degree of interoperability if it also passes the test
suite.
4. If new edge cases are discovered or evolved, interoperability can be
assured by adding them to the test suite and testing existing
implementations.  If there is ambiguity or disagreement in this
circumstance, this is an opportunity for the community to come up with the
agreed-upon right answer for behavior in this new case, and update the test
suite to reflect that.

None of this requires that we consider some unknown implementation that we
can't validate is correct.  The test suite becomes a statement of
consistency among the different implementers and their interpretations of
the RFC.  See the OpenSPF.org test suite for a good example of how this
works.

Having a fully deterministic specification makes this all a lot easier.

As I've stated previously, the alternative to the above is bundling a
reference ARC verifier with the test suite.  That means someone needs to
write such a reference verifier (or repurpose and repackage an existing
one).   In addition, the test suite needs to be updated to ensure the
reference implementation can be used as a service when developing ARC
implementations in any language.  That's more work, and it also makes the
use of the test suite much more complex.

I think tightening up some currently allowed ambiguity in the ARC
specification is a much simpler and much better solution.  I'm not sure why
there's such concern about canonicalizing the format and ordering of some
tag/value pairs.

Best,

Peter

On Mon, Mar 27, 2017 at 4:36 PM, Brandon Long <blong@google.com> wrote:

> Generating the tests did require an arc impl , however.  I can understand
> if this was simple enough to generate them by hand or with a couple lines
> of python, but instead we're testing against an unknown impl that we can't
> validate is correct.
>
> Brandon
>
>
>
> On Mar 27, 2017 12:02 PM, "Peter Goldstein" <peter@valimail.com> wrote:
>
> Brandon,
>
> How do you validate that the signature verifies?  To do that you need an
> entire ARC implementation that is packaged within the test suite (and the
> ability for it to run as a service, or make it available in some way to
> implementations being tested that are written in different languages).
> That's the whole point.
>
> The tests under discussion are validating that with assorted inputs
> (original message, DNS configuration, etc.) an ARC implementation produces
> a valid output message (correct ARC seal, ARC chain, etc.).  Essentially
> we're looking at testing that:
>
> SIGN(INPUTS) => OUTPUT MESSAGE
>
> With the canonicalization being proposed, the OUTPUT MESSAGE becomes a
> deterministic result, and verifying it becomes a matter of string
> comparison.  This is the success criterion:
>
> OUTPUT MESSAGE == EXPECTED MESSAGE
>
> Without the canonicalization being proposed, it will be necessary to run
> verification on the OUTPUT MESSAGE to assess whether the test gives the
> expected results for a generic implementation.  In that case this is the
> success criterion:
>
> ARC_VALIDATION(OUTPUT MESSAGE, INPUTS) == EXPECTED_ARC_STATE(INPUTS)
>
> We can't use the ARC validation implementation for the library under test,
> because it may share bugs with the signing side.  Instead we'll need to
> have a bundled ARC validaiton with the test suite.
>
> Does that make sense?
>
> Best,
>
> Peter
>
>
>
>
>
> On Mon, Mar 27, 2017 at 11:06 AM, Brandon Long <blong@google.com> wrote:
>
>> What does validating the exact signature generated benefit us over just
>> verifying that the signature verifies?
>>
>> I haven't looked at what the tests are for signing, though given the
>> descriptions  for the verifying tests, I'm not sure it would be obvious.
>> Can you summarize them?
>>
>> Brandon
>>
>> On Mar 26, 2017 9:26 PM, "Peter Goldstein" <peter@valimail.com> wrote:
>>
>>> John,
>>>
>>>
>>>> I have to say I don't find that very persuasive.  It's not hard to
>>>> write test code that checks for the hashes and fields in a signature header
>>>> without regard to what order they're in.  I would rather write better test
>>>> code than add fragile extra cruft to every ARC implementation.
>>>
>>>
>>> I honestly find this response a little unpersuasive  :).  There are two
>>> points I'd like to raise.
>>>
>>> First, the idea that locking down the format of the signature adds
>>> 'fragile extra cruft' seems off to me.  On the contrary, the suggestions in
>>> this thread reduce fragility - by requiring that the set of signed fields
>>> (ARC Message Signatures, ARC Seals) meet a well-defined, strict, and
>>> trivially verifiable format.  This is fairly standard practice in video,
>>> security, etc. protocols - every field has a place, and large scale
>>> re-ordering/re-formatting is not permitted unless there's a compelling
>>> technical reason.
>>>
>>> I'm not sure why there's a perceived value in accommodating ambiguity
>>> here - this is a brand new standard with a limited number of actual
>>> implementers.  There's no random person not on this list implementing ARC
>>> (especially given the standard isn't finalized).  And if there is, the
>>> whole idea of providing a globally usable automated test suite is to ensure
>>> that person can easily validate that their implementation will interoperate.
>>>
>>> Second, the premise that "it's not hard to write test code..." is simply
>>> not true.  What would be required to actually write such code would be
>>> either a) pick a preferred ordering/formatting for these tags, and only
>>> have the tests pass for that ordering or b) include a complete ARC
>>> verifying system in the test code.  The first is what OpenDKIM did for its
>>> specs (see below).  The latter is possible, but seems ill-advised for a
>>> test suite.
>>>
>>> To see that this is the case, it's useful to look at two earlier email
>>> standards and their corresponding test suites.  SPF has a language-agnostic
>>> test suite (http://www.openspf.org/Test_Suite) that makes it easy to
>>> test implementations in any language.  I've done it myself, and it requires
>>> minimal effort - https://github.com/ValiMail/
>>> coppertone/tree/master/spec/open_spf.  I can tell you from personal
>>> experience that the test suite was really helpful in ensuring the
>>> implementation was correct in all cases.
>>>
>>> There is no corresponding test suite for DKIM, and the ambiguity in
>>> tag/value ordering is the fundamental reason why.  The closest we come are
>>> the tests for OpenDKIM.  If you examine the signing tests for OpenDKIM,
>>> it's clear that they fail your "not hard" requirement.  I can write a
>>> perfectly valid, legal DKIM signing implementation that will fail all of
>>> OpenDKIM's signing tests, because OpenDKIM has a preferred ordering and
>>> formatting for tags.
>>>
>>> The OpenDKIM signing tests all check that OpenDKIM produces a signature
>>> header matching a constant string that embodies this preferred ordering.
>>> Any implementation that uses a different ordering/formatting will obviously
>>> fail.  Changing the tag ordering/formatting changes the hashed value in the
>>> header, so it's not just a matter of parsing some tag/value pairs.  And so
>>> short of a full DKIM verification implementation it's impossible to make a
>>> generic test suite that accepts all legal implementations.
>>>
>>> Frankly, this is somewhat unfortunate.  But DKIM is a relatively simple
>>> protocol.  ARC is more complicated, with multiple levels of signatures and
>>> more complex state.  Given the substantially more complicated nature of
>>> ARC, it's desirable to have a test suite that will pass any legal
>>> implementation.  Interops are great, but I'd take a bulletproof test suite
>>> over an interop any day of the week.
>>>
>>> I won't be at the IETF meeting this week, but I'd be happy to dive into
>>> this in more detail over email or phone if it's helpful.
>>>
>>> Best,
>>>
>>> Peter
>>>
>>> On Sun, Mar 26, 2017 at 7:32 PM, John R Levine <johnl@taugh.com> wrote:
>>>
>>>> It's even more important than it was with DKIM to have a test suite that
>>>>> can verify signing behavior.  If we don't agree on any sort of
>>>>> standard, a
>>>>> test suite will need to select a preferred format for the ARC headers &
>>>>> will fail all implementations that don't meet this form.  We've
>>>>> discussed
>>>>> this with Murray, and he agrees with this conclusion.
>>>>>
>>>>
>>>> I have to say I don't find that very persuasive.  It's not hard to
>>>> write test code that checks for the hashes and fields in a signature header
>>>> without regard to what order they're in.  I would rather write better test
>>>> code than add fragile extra cruft to every ARC implementation.
>>>>
>>>> As it happens, the IETF is meeting this week in Chicago, and I expect
>>>> I'll see Murray in the next day or two so I can talk to him directly.
>>>>
>>>>
>>>> R's,
>>>> John
>>>>
>>>> _______________________________________________
>>>> dmarc mailing list
>>>> dmarc@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>> [image: logo for sig file.png]
>>>
>>> Bringing Trust to Email
>>>
>>> Peter Goldstein | CTO & Co-Founder
>>>
>>> peter@valimail.com
>>> +1.415.793.5783 <(415)%20793-5783>
>>>
>>> _______________________________________________
>>> dmarc mailing list
>>> dmarc@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>
>>>
>
>
> --
>
>
> [image: logo for sig file.png]
>
> Bringing Trust to Email
>
> Peter Goldstein | CTO & Co-Founder
>
> peter@valimail.com
> +1.415.793.5783 <(415)%20793-5783>
>
>
>


-- 


[image: logo for sig file.png]

Bringing Trust to Email

Peter Goldstein | CTO & Co-Founder

peter@valimail.com
+1.415.793.5783

v2.23.0 | Report a Bug | By Email