Re: [dmarc-ietf] ARC questions

Michael Thomas <mike@mtcc.com> Sat, 05 December 2020 00:44 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D3BD3A10B5 for <dmarc@ietfa.amsl.com>; Fri, 4 Dec 2020 16:44:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.05
X-Spam-Level:
X-Spam-Status: No, score=-1.05 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=0.1, URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3fYa-TM2pKEI for <dmarc@ietfa.amsl.com>; Fri, 4 Dec 2020 16:44:47 -0800 (PST)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5C9C3A10B3 for <dmarc@ietf.org>; Fri, 4 Dec 2020 16:44:47 -0800 (PST)
Received: by mail-pf1-x42f.google.com with SMTP id w6so4935509pfu.1 for <dmarc@ietf.org>; Fri, 04 Dec 2020 16:44:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=Si4xaL6CNmr8LU7KJQKirv4Rh5psNwM+JmAZ/wjmYH8=; b=MghmoSnQVL0qIiDCMlBBmLax3e1n5gRmmmYu+w96z2DBRC8yimtNnx+DzUMyHfDabB bER2/OjXUl4GWz4Nm9DrVsUkg0QiiyKFTuKPJao4BUa1k3tAXhgNFTprFaXZDz+x2Nzk bGQjxnsNdj8MiRo3ltcGvP5QyJeX8w45faUMYuEJCOxQqftFg256ylKKVAOauUR+F7wT DnrHQmWz66QQhMLgpRnzBMRiGJhXVNYAaYuIsxgTRernHQ33eXIE6zQAXzDJpjCn5xwV Fz24TyjM/A/0Odyt6OzAGebuJ1P+1bfZkYmSql7teQvBhH+KuxWqDVLI/IKjZbdk2bNS XGcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=Si4xaL6CNmr8LU7KJQKirv4Rh5psNwM+JmAZ/wjmYH8=; b=Dt2QQUaoM2Sjlz7PtJ1Pp6fVms2utPbsYBCaPYQ+e+v7V+AeRsfw1yEum3LOertlnt YQ1WCtwUZMgOefgfnqb6gsl78yH3g+9Bwe10UFyhrhrvPwTJ5aFkFWkziXIQ5kWsfMYH tzYX2aVanxOsvZZMZi/vZ3gDhBZ+6mmfftHEyRssm/widIaAzGTmt8/rNyd9VQyWtZLU rP92w62TJNMv6XbnfNWYd8E70Ng8tfrJF41Lt4WMR3Yi+E++kPFmFkSLHmAjzPvTewra 98KnQYQaxrChWqw+WCQzyMv+DiK6trcwfd9HbIk72hm9xrxG/beZsyQFhqHbtUGswmYI Bljw==
X-Gm-Message-State: AOAM532ZAXaOU731glh3R4b6PSn2V39WH1lnzikRdxtDb6XzlKYmaGpG jI+iZev4wGrGuCJ5V2YTlFN14WD3J7P3eA==
X-Google-Smtp-Source: ABdhPJyuNO5bjp6RPnfTNrD8daqAF8IB2Q6QuImzZs20/aM7ghGmIw/zAmGaOvZGAb/wCHECkyLr9A==
X-Received: by 2002:a62:5b05:0:b029:197:fafb:50f3 with SMTP id p5-20020a625b050000b0290197fafb50f3mr6256988pfb.76.1607129086627; Fri, 04 Dec 2020 16:44:46 -0800 (PST)
Received: from mike-mac.lan (107-182-42-33.volcanocom.com. [107.182.42.33]) by smtp.gmail.com with ESMTPSA id g14sm5999773pfo.198.2020.12.04.16.44.45 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 04 Dec 2020 16:44:45 -0800 (PST)
To: Brandon Long <blong@google.com>
Cc: "John R. Levine" <johnl@iecc.com>, "dmarc@ietf.org" <dmarc@ietf.org>
References: <20201124020453.AFDC027CE5C8@ary.qy> <cd855b53-d9bd-3412-3bd5-dc4b7720dc5c@mtcc.com> <CABa8R6s0bfs87Fu9eOq_R3WH1pngauVXrw3RSPe9iWWCtf3AmQ@mail.gmail.com> <c954eadd-5c85-c0d9-2168-8a42de506b72@mtcc.com> <CABa8R6swzAQLPU=xE2tr1W0J5r+w80BSYu87_ubMwHaUMgmKvA@mail.gmail.com> <1eed8278-4efa-4abc-15e0-2efcf014e82e@mtcc.com> <CABa8R6sEk+dHwHjBCKDgcmeT_Z3FymC5+jzy-GGa=7gJYvOf5A@mail.gmail.com> <446d491b-100a-9813-6463-2294f67bbda7@mtcc.com> <aafa5e78-aff9-8076-b76f-62f5b3a13fc1@taugh.com> <4190de2d-9f17-06d5-6354-30c989eecd4a@mtcc.com> <17d886fd-49fd-28d8-f8e4-7caf2e85919c@taugh.com> <f785884b-2a3d-a6fe-6bb6-ee792d23ff23@mtcc.com> <d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com> <8bc3c7ad-2a42-3eed-524c-8c50b16131c2@mtcc.com> <42178950-1ac3-27b4-a981-155fd9117969@taugh.com> <a669c3b9-a9e5-91cb-cd39-e73115e90766@mtcc.com> <70bd5e9-f0e8-3bdf-c5f0-6428841e1577@iecc.com> <162586f5-d565-0e4f-955d-8ceca1d569d2@mtcc.com> <CABa8R6v+p7zWh1tJO+FUiepR3gvBADR1NPhmW1ED7pdvPxKPZA@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <40732425-0814-9e9a-2b7d-7adb304e9cdb@mtcc.com>
Date: Fri, 4 Dec 2020 16:44:44 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <CABa8R6v+p7zWh1tJO+FUiepR3gvBADR1NPhmW1ED7pdvPxKPZA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------8443E68D44ACE96A74DDD241"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/sUl3v9R7cO5_ubQyFMZ2n8Sgjzk>
Subject: Re: [dmarc-ietf] ARC questions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2020 00:44:50 -0000

On 12/4/20 3:27 PM, Brandon Long wrote:
> I'm pretty sure I explained what the X-Google-DKIM-Signature was in 
> this or related threads.  It was
> part of the original attempt at ARC, which was 
> X-Original-Authentication-Results.  Adding just
> an XOAR header was not sufficient, we had to have reason to trust it, 
> so we added the signature.
> We didn't re-use the existing DKIM-Signature header name because that 
> header was already used
> by DMARC and had a bunch of other uses that we didn't want to use.

DKIM doesn't have to be from the originating domain, and if you look at 
my mail headers in this message, you will see there is no originating 
domain signature because I changed over to gsuite last year. DMARC would 
just ignore all of those non-From domain signatures. I don't see the 
problem here.

I don't understand what you mean about "trust". I thought the entire 
point of ARC was to deliver the intermediary's auth-res for 
consideration to the next hop(s). that could be done with XOAR and DKIM. 
If you don't agree, I would appreciate a step-by-step why that is not 
the case because I'm just not seeing it.

And if X-Google is legacy, why is it still in your email headers? I have 
to say that when I came upon all of this it was definitely a wtf moment. 
I imagine that other people less familiar will look at it and have a 
FOMO moment.


> So yes, that's a way to work around some of the issues if we wanted to 
> pursue the DKIM+A-R,
> just have everyone sign with a different domain that you don't use for 
> mail.  That seems heavier
> weight to me, but that would be a single-hop solution.  I think we did 
> discuss this in the early meetings
> and found the ARC proposal provided more (multi-hop) and less 
> complicated (no new domains).  There's
> also a phishing design challenge when picking a domain to represent 
> you in a limited way.

The original intent was for mailing lists to always DKIM-resign with the 
domain of the mailing list. I expect that that happens today (and if 
they don't, ARC is not likely to be adopted either). So that can't 
possibly be heavier than adding two new signatures on top of that, since 
mailing lists would still have to apply the resigned DKIM signature.

Mike


>
> Brandon
>
> On Wed, Dec 2, 2020 at 6:58 PM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>     if you're trying to make a point about the bloat, you might
>     actually get
>     your facts straight. ARC adds an additional DKIM signature and a
>     Seal. i
>     have no idea what a X-Google-DKIM-Signature is and is not relevant.
>
>     Mike
>
>     On 12/2/20 6:55 PM, John R. Levine wrote:
>     >> PS: you're adding X-Google-DKIM-Signature which nobody knows
>     what its
>     >> utility is to your bloat total for dramatic effect.
>     >
>     > Um, it was there when your message arrived here. Complain to your
>     > mail provider.
>     >
>     >> On 12/2/20 6:33 PM, John R Levine wrote:
>     >>> On Wed, 2 Dec 2020, Michael Thomas wrote:
>     >>>>> But why bother?  The IANA header field registry currently
>     has 419
>     >>>>> entries. Why is it a crisis if it increases to 422 rather
>     than 420?
>     >>>>
>     >>>> It does a lot more than that:
>     >>>
>     >>> We've been through this all before and none of these are
>     >>> persuasive.  For
>     >>> example:
>     >>>
>     >>>> 3) It adds a lot more bloat to the headers
>     >>>
>     >>> The message you just sent arrived with 4600 bytes of header (see
>     >>> below) and under 2K of text.  Copies that went through the dmarc
>     >>> mailing list probably had at least another 1K of header.
>     >>>
>     >>> If header bloat were ever an issue, it hasn't been for decades.
>     >>>
>     >>> R's,
>     >>> John
>     >>> ---- snip ---
>     >>> Return-Path: <mike@fresheez.com <mailto:mike@fresheez.com>>
>     >>> X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
>     gal.iecc.com <http://gal.iecc.com>
>     >>> X-Spam-Level: X-Spam-Status: No, score=-1.5 required=4.4
>     >>> tests=BAYES_00,DCC_REPUT_00_12,
>     >>>     DKIM_SIGNED,DKIM_VALID,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE
>     >>>     autolearn=no autolearn_force=no version=3.4.4
>     >>> Delivered-To: johnl@iecc.com <mailto:johnl@iecc.com>
>     >>> Received: (qmail 70731 invoked by uid 1014); 2 Dec 2020
>     23:30:07 -0000
>     >>> Delivered-To: virtual-taugh-johnl@taugh.com
>     <mailto:virtual-taugh-johnl@taugh.com>
>     >>> Received: (qmail 70729 invoked from network); 2 Dec 2020
>     23:30:07 -0000
>     >>> Authentication-Results: iecc.com <http://iecc.com>; spf=pass
>     >>> spf.mailfrom=mike@fresheez.com <mailto:mike@fresheez.com>
>     spf.helo=mail-pl1-x62a.google.com <http://mail-pl1-x62a.google.com>
>     >>> smtp.remote-ip="2607:f8b0:4864:20::62a"; dkim=pass
>     >>> header.d=mtcc-com.20150623.gappssmtp.com
>     <http://mtcc-com.20150623.gappssmtp.com> header.s=20150623
>     >>> header.a=rsa-sha256 header.b="vvoZ+Loe"
>     >>> Received: from mail-pl1-x62a.google.com
>     <http://mail-pl1-x62a.google.com> ([IPV6:2607:f8b0:4864:20::62a])
>     >>>   by mail1.iecc.com <http://mail1.iecc.com>
>     ([IPV6:2001:470:1f07:1126:33:5370:616d:6d31])
>     >>>   with ESMTPS via TCP6 (port 38853/25) id 665297367
>     >>>   tls TLS1.3_ECDHE_RSA_AES_128_GCM_AEAD sni mx1.taugh.com
>     <http://mx1.taugh.com>; 02 Dec
>     >>> 2020 23:30:06 -0000
>     >>> Received: by mail-pl1-x62a.google.com
>     <http://mail-pl1-x62a.google.com> with SMTP id 4so91499plk.5
>     >>>         for <johnl@taugh.com <mailto:johnl@taugh.com>>; Wed,
>     02 Dec 2020 15:30:05 -0800 (PST)
>     >>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>     >>>         d=mtcc-com.20150623.gappssmtp.com
>     <http://mtcc-com.20150623.gappssmtp.com>; s=20150623;
>     >>> h=subject:to:cc:references:from:message-id:date:user-agent
>     >>>
>     :mime-version:in-reply-to:content-transfer-encoding:content-language;
>     >>> bh=frJndGBg4PljdPRXFB1KqYuhqqDFqbuyeJjhznmBtNo=;
>     >>>
>     b=vvoZ+Loew2ueICysZfzHi5UwJ3jXLN5dX+kyHN3HI91ZMJWMq7cym6dw1XQ9zaHvar
>     >>>
>     KWobHhYgPlIURrzw5+sM1lArZM0+S8zElTI9oJicfts5VpsuYtc3kGzpFO58DlGQMzji
>     >>>
>     +Bshah0JzXltImvCLjzUhHXHOLYvfA/Hk9lwY5XD904cTcBo4UfTKvenfFv3yLyBc4k3
>     >>>
>     l61UDIWK7HRcdixAnDYx7zJLZaO3qcbPOwkG48uqCoMDIJVhcBndL82W/JflTPy4EB9S
>     >>>
>     VydV+ABOODKddInyT2i5+/cTXS1B66NWYHF/Auh1UqRkxB/+H5T//oXYkKWqXolceqkS
>     >>>          Y3Nw==
>     >>> X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>     >>>         d=1e100.net <http://1e100.net>; s=20161025;
>     >>> h=x-gm-message-state:subject:to:cc:references:from:message-id:date
>     >>> :user-agent:mime-version:in-reply-to:content-transfer-encoding
>     >>>          :content-language;
>     >>> bh=frJndGBg4PljdPRXFB1KqYuhqqDFqbuyeJjhznmBtNo=;
>     >>>
>     b=EiCvgdUtIHSRQXtcFgoSdo/YgcWiu1mxFOdlQ/tDw8nd2ipjfcUBNlRSW9ygClV9vu
>     >>>
>     TBZpT6xrU/F0xLA6fq9Tt51Z4S1VSgDSOCt1Ut8+oLzyBXkDCjQ3j8rByKqPkRvivOap
>     >>>
>     82rO+tMd5J/4SMAAPGmJ28WAq+E7J4EJknvVu1LUOEiTERnAbmT9ZK/eTEKPjQGx0msa
>     >>>
>     GMCKzawKzSfLMvOIqaKoPUmxPyrtEnEUizEPer7/aXZ0pXrUTHQ82984GTYqSdKDoYIS
>     >>>
>     T+59dBxbPY9KwT33oih+1slVUSLBEbzUigK3wj4yA/71KTvr76KCUEaU8cYI6/TYcszz
>     >>>          2CWA==
>     >>> X-Gm-Message-State:
>     >>> AOAM530XUwEgBdQ2e02rPshm7iyXROuyhTJeAndRJAFtQO8oX1JUEgsD
>     >>>     chdQCnyR1XB3fAEw5oIqGysS4Q==
>     >>> X-Google-Smtp-Source:
>     >>>
>     ABdhPJzQUtiWyUp4dVxdii6hT+h4YBukyVaoJ5846n5Di6IUaEwxKrufF/3Atxm7lejww+dr4k5xIw==
>     >>> X-Received: by 2002:a17:90a:c4f:: with SMTP id
>     >>> u15mr287214pje.177.1606951804840;
>     >>>         Wed, 02 Dec 2020 15:30:04 -0800 (PST)
>     >>> Return-Path: <mike@fresheez.com <mailto:mike@fresheez.com>>
>     >>> Received: from mike-mac.lan (107-182-42-33.volcanocom.com
>     <http://107-182-42-33.volcanocom.com>.
>     >>> [107.182.42.33])
>     >>>         by smtp.gmail.com <http://smtp.gmail.com> with ESMTPSA id
>     >>> x7sm158495pfn.85.2020.12.02.15.30.03
>     >>>         (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256
>     bits=128/128);
>     >>>         Wed, 02 Dec 2020 15:30:04 -0800 (PST)
>     >>> Subject: Re: [dmarc-ietf] ARC questions
>     >>> To: John R Levine <johnl@taugh.com <mailto:johnl@taugh.com>>,
>     Brandon Long <blong@google.com <mailto:blong@google.com>>
>     >>> Cc: IETF DMARC WG <dmarc@ietf.org <mailto:dmarc@ietf.org>>
>     >>> References: <20201124020453.AFDC027CE5C8@ary.qy>
>     >>>  <cd855b53-d9bd-3412-3bd5-dc4b7720dc5c@mtcc.com
>     <mailto:cd855b53-d9bd-3412-3bd5-dc4b7720dc5c@mtcc.com>>
>     >>>
>      <CABa8R6s0bfs87Fu9eOq_R3WH1pngauVXrw3RSPe9iWWCtf3AmQ@mail.gmail.com
>     <mailto:CABa8R6s0bfs87Fu9eOq_R3WH1pngauVXrw3RSPe9iWWCtf3AmQ@mail.gmail.com>>
>     >>>  <c954eadd-5c85-c0d9-2168-8a42de506b72@mtcc.com
>     <mailto:c954eadd-5c85-c0d9-2168-8a42de506b72@mtcc.com>>
>     >>>
>      <CABa8R6swzAQLPU=xE2tr1W0J5r+w80BSYu87_ubMwHaUMgmKvA@mail.gmail.com
>     <mailto:xE2tr1W0J5r%2Bw80BSYu87_ubMwHaUMgmKvA@mail.gmail.com>>
>     >>>  <1eed8278-4efa-4abc-15e0-2efcf014e82e@mtcc.com
>     <mailto:1eed8278-4efa-4abc-15e0-2efcf014e82e@mtcc.com>>
>     >>>
>      <CABa8R6sEk+dHwHjBCKDgcmeT_Z3FymC5+jzy-GGa=7gJYvOf5A@mail.gmail.com
>     <mailto:7gJYvOf5A@mail.gmail.com>>
>     >>>  <446d491b-100a-9813-6463-2294f67bbda7@mtcc.com
>     <mailto:446d491b-100a-9813-6463-2294f67bbda7@mtcc.com>>
>     >>>  <aafa5e78-aff9-8076-b76f-62f5b3a13fc1@taugh.com
>     <mailto:aafa5e78-aff9-8076-b76f-62f5b3a13fc1@taugh.com>>
>     >>>  <4190de2d-9f17-06d5-6354-30c989eecd4a@mtcc.com
>     <mailto:4190de2d-9f17-06d5-6354-30c989eecd4a@mtcc.com>>
>     >>>  <17d886fd-49fd-28d8-f8e4-7caf2e85919c@taugh.com
>     <mailto:17d886fd-49fd-28d8-f8e4-7caf2e85919c@taugh.com>>
>     >>>  <f785884b-2a3d-a6fe-6bb6-ee792d23ff23@mtcc.com
>     <mailto:f785884b-2a3d-a6fe-6bb6-ee792d23ff23@mtcc.com>>
>     >>>  <d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com
>     <mailto:d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com>>
>     >>> From: Michael Thomas <mike@mtcc.com <mailto:mike@mtcc.com>>
>     >>> Message-ID: <8bc3c7ad-2a42-3eed-524c-8c50b16131c2@mtcc.com
>     <mailto:8bc3c7ad-2a42-3eed-524c-8c50b16131c2@mtcc.com>>
>     >>> Date: Wed, 2 Dec 2020 15:30:01 -0800
>     >>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
>     >>>  Gecko/20100101 Thunderbird/78.5.0
>     >>> MIME-Version: 1.0
>     >>> In-Reply-To: <d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com
>     <mailto:d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com>>
>     >>> Content-Type: text/plain; charset=utf-8; format=flowed
>     >>> Content-Transfer-Encoding: 8bit
>     >>> Content-Language: en-US
>     >>
>     >>
>     >
>     > Regards,
>     > John Levine, johnl@taugh.com <mailto:johnl@taugh.com>, Primary
>     Perpetrator of "The Internet for
>     > Dummies",
>     > Please consider the environment before reading this e-mail.
>     https://jl.ly <https://jl.ly>
>
>     _______________________________________________
>     dmarc mailing list
>     dmarc@ietf.org <mailto:dmarc@ietf.org>
>     https://www.ietf.org/mailman/listinfo/dmarc
>     <https://www.ietf.org/mailman/listinfo/dmarc>
>