Re: [dmarc-ietf] ARC questions

[Michael Thomas <mike@mtcc.com>]

On 12/4/20 3:27 PM, Brandon Long wrote:
> I'm pretty sure I explained what the X-Google-DKIM-Signature was in 
> this or related threads.  It was
> part of the original attempt at ARC, which was 
> X-Original-Authentication-Results.  Adding just
> an XOAR header was not sufficient, we had to have reason to trust it, 
> so we added the signature.
> We didn't re-use the existing DKIM-Signature header name because that 
> header was already used
> by DMARC and had a bunch of other uses that we didn't want to use.

DKIM doesn't have to be from the originating domain, and if you look at 
my mail headers in this message, you will see there is no originating 
domain signature because I changed over to gsuite last year. DMARC would 
just ignore all of those non-From domain signatures. I don't see the 
problem here.

I don't understand what you mean about "trust". I thought the entire 
point of ARC was to deliver the intermediary's auth-res for 
consideration to the next hop(s). that could be done with XOAR and DKIM. 
If you don't agree, I would appreciate a step-by-step why that is not 
the case because I'm just not seeing it.

And if X-Google is legacy, why is it still in your email headers? I have 
to say that when I came upon all of this it was definitely a wtf moment. 
I imagine that other people less familiar will look at it and have a 
FOMO moment.


> So yes, that's a way to work around some of the issues if we wanted to 
> pursue the DKIM+A-R,
> just have everyone sign with a different domain that you don't use for 
> mail.  That seems heavier
> weight to me, but that would be a single-hop solution.  I think we did 
> discuss this in the early meetings
> and found the ARC proposal provided more (multi-hop) and less 
> complicated (no new domains).  There's
> also a phishing design challenge when picking a domain to represent 
> you in a limited way.

The original intent was for mailing lists to always DKIM-resign with the 
domain of the mailing list. I expect that that happens today (and if 
they don't, ARC is not likely to be adopted either). So that can't 
possibly be heavier than adding two new signatures on top of that, since 
mailing lists would still have to apply the resigned DKIM signature.

Mike


>
> Brandon
>
> On Wed, Dec 2, 2020 at 6:58 PM Michael Thomas <mike@mtcc.com 
> <mailto:mike@mtcc.com>> wrote:
>
>     if you're trying to make a point about the bloat, you might
>     actually get
>     your facts straight. ARC adds an additional DKIM signature and a
>     Seal. i
>     have no idea what a X-Google-DKIM-Signature is and is not relevant.
>
>     Mike
>
>     On 12/2/20 6:55 PM, John R. Levine wrote:
>     >> PS: you're adding X-Google-DKIM-Signature which nobody knows
>     what its
>     >> utility is to your bloat total for dramatic effect.
>     >
>     > Um, it was there when your message arrived here. Complain to your
>     > mail provider.
>     >
>     >> On 12/2/20 6:33 PM, John R Levine wrote:
>     >>> On Wed, 2 Dec 2020, Michael Thomas wrote:
>     >>>>> But why bother?  The IANA header field registry currently
>     has 419
>     >>>>> entries. Why is it a crisis if it increases to 422 rather
>     than 420?
>     >>>>
>     >>>> It does a lot more than that:
>     >>>
>     >>> We've been through this all before and none of these are
>     >>> persuasive.  For
>     >>> example:
>     >>>
>     >>>> 3) It adds a lot more bloat to the headers
>     >>>
>     >>> The message you just sent arrived with 4600 bytes of header (see
>     >>> below) and under 2K of text.  Copies that went through the dmarc
>     >>> mailing list probably had at least another 1K of header.
>     >>>
>     >>> If header bloat were ever an issue, it hasn't been for decades.
>     >>>
>     >>> R's,
>     >>> John
>     >>> ---- snip ---
>     >>> Return-Path: <mike@fresheez.com <mailto:mike@fresheez.com>>
>     >>> X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
>     gal.iecc.com <http://gal.iecc.com>
>     >>> X-Spam-Level: X-Spam-Status: No, score=-1.5 required=4.4
>     >>> tests=BAYES_00,DCC_REPUT_00_12,
>     >>>     DKIM_SIGNED,DKIM_VALID,NICE_REPLY_A,RDNS_NONE,SPF_HELO_NONE
>     >>>     autolearn=no autolearn_force=no version=3.4.4
>     >>> Delivered-To: johnl@iecc.com <mailto:johnl@iecc.com>
>     >>> Received: (qmail 70731 invoked by uid 1014); 2 Dec 2020
>     23:30:07 -0000
>     >>> Delivered-To: virtual-taugh-johnl@taugh.com
>     <mailto:virtual-taugh-johnl@taugh.com>
>     >>> Received: (qmail 70729 invoked from network); 2 Dec 2020
>     23:30:07 -0000
>     >>> Authentication-Results: iecc.com <http://iecc.com>; spf=pass
>     >>> spf.mailfrom=mike@fresheez.com <mailto:mike@fresheez.com>
>     spf.helo=mail-pl1-x62a.google.com <http://mail-pl1-x62a.google.com>
>     >>> smtp.remote-ip="2607:f8b0:4864:20::62a"; dkim=pass
>     >>> header.d=mtcc-com.20150623.gappssmtp.com
>     <http://mtcc-com.20150623.gappssmtp.com> header.s=20150623
>     >>> header.a=rsa-sha256 header.b="vvoZ+Loe"
>     >>> Received: from mail-pl1-x62a.google.com
>     <http://mail-pl1-x62a.google.com> ([IPV6:2607:f8b0:4864:20::62a])
>     >>>   by mail1.iecc.com <http://mail1.iecc.com>
>     ([IPV6:2001:470:1f07:1126:33:5370:616d:6d31])
>     >>>   with ESMTPS via TCP6 (port 38853/25) id 665297367
>     >>>   tls TLS1.3_ECDHE_RSA_AES_128_GCM_AEAD sni mx1.taugh.com
>     <http://mx1.taugh.com>; 02 Dec
>     >>> 2020 23:30:06 -0000
>     >>> Received: by mail-pl1-x62a.google.com
>     <http://mail-pl1-x62a.google.com> with SMTP id 4so91499plk.5
>     >>>         for <johnl@taugh.com <mailto:johnl@taugh.com>>; Wed,
>     02 Dec 2020 15:30:05 -0800 (PST)
>     >>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>     >>>         d=mtcc-com.20150623.gappssmtp.com
>     <http://mtcc-com.20150623.gappssmtp.com>; s=20150623;
>     >>> h=subject:to:cc:references:from:message-id:date:user-agent
>     >>>
>     :mime-version:in-reply-to:content-transfer-encoding:content-language;
>     >>> bh=frJndGBg4PljdPRXFB1KqYuhqqDFqbuyeJjhznmBtNo=;
>     >>>
>     b=vvoZ+Loew2ueICysZfzHi5UwJ3jXLN5dX+kyHN3HI91ZMJWMq7cym6dw1XQ9zaHvar
>     >>>
>     KWobHhYgPlIURrzw5+sM1lArZM0+S8zElTI9oJicfts5VpsuYtc3kGzpFO58DlGQMzji
>     >>>
>     +Bshah0JzXltImvCLjzUhHXHOLYvfA/Hk9lwY5XD904cTcBo4UfTKvenfFv3yLyBc4k3
>     >>>
>     l61UDIWK7HRcdixAnDYx7zJLZaO3qcbPOwkG48uqCoMDIJVhcBndL82W/JflTPy4EB9S
>     >>>
>     VydV+ABOODKddInyT2i5+/cTXS1B66NWYHF/Auh1UqRkxB/+H5T//oXYkKWqXolceqkS
>     >>>          Y3Nw==
>     >>> X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
>     >>>         d=1e100.net <http://1e100.net>; s=20161025;
>     >>> h=x-gm-message-state:subject:to:cc:references:from:message-id:date
>     >>> :user-agent:mime-version:in-reply-to:content-transfer-encoding
>     >>>          :content-language;
>     >>> bh=frJndGBg4PljdPRXFB1KqYuhqqDFqbuyeJjhznmBtNo=;
>     >>>
>     b=EiCvgdUtIHSRQXtcFgoSdo/YgcWiu1mxFOdlQ/tDw8nd2ipjfcUBNlRSW9ygClV9vu
>     >>>
>     TBZpT6xrU/F0xLA6fq9Tt51Z4S1VSgDSOCt1Ut8+oLzyBXkDCjQ3j8rByKqPkRvivOap
>     >>>
>     82rO+tMd5J/4SMAAPGmJ28WAq+E7J4EJknvVu1LUOEiTERnAbmT9ZK/eTEKPjQGx0msa
>     >>>
>     GMCKzawKzSfLMvOIqaKoPUmxPyrtEnEUizEPer7/aXZ0pXrUTHQ82984GTYqSdKDoYIS
>     >>>
>     T+59dBxbPY9KwT33oih+1slVUSLBEbzUigK3wj4yA/71KTvr76KCUEaU8cYI6/TYcszz
>     >>>          2CWA==
>     >>> X-Gm-Message-State:
>     >>> AOAM530XUwEgBdQ2e02rPshm7iyXROuyhTJeAndRJAFtQO8oX1JUEgsD
>     >>>     chdQCnyR1XB3fAEw5oIqGysS4Q==
>     >>> X-Google-Smtp-Source:
>     >>>
>     ABdhPJzQUtiWyUp4dVxdii6hT+h4YBukyVaoJ5846n5Di6IUaEwxKrufF/3Atxm7lejww+dr4k5xIw==
>     >>> X-Received: by 2002:a17:90a:c4f:: with SMTP id
>     >>> u15mr287214pje.177.1606951804840;
>     >>>         Wed, 02 Dec 2020 15:30:04 -0800 (PST)
>     >>> Return-Path: <mike@fresheez.com <mailto:mike@fresheez.com>>
>     >>> Received: from mike-mac.lan (107-182-42-33.volcanocom.com
>     <http://107-182-42-33.volcanocom.com>.
>     >>> [107.182.42.33])
>     >>>         by smtp.gmail.com <http://smtp.gmail.com> with ESMTPSA id
>     >>> x7sm158495pfn.85.2020.12.02.15.30.03
>     >>>         (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256
>     bits=128/128);
>     >>>         Wed, 02 Dec 2020 15:30:04 -0800 (PST)
>     >>> Subject: Re: [dmarc-ietf] ARC questions
>     >>> To: John R Levine <johnl@taugh.com <mailto:johnl@taugh.com>>,
>     Brandon Long <blong@google.com <mailto:blong@google.com>>
>     >>> Cc: IETF DMARC WG <dmarc@ietf.org <mailto:dmarc@ietf.org>>
>     >>> References: <20201124020453.AFDC027CE5C8@ary.qy>
>     >>>  <cd855b53-d9bd-3412-3bd5-dc4b7720dc5c@mtcc.com
>     <mailto:cd855b53-d9bd-3412-3bd5-dc4b7720dc5c@mtcc.com>>
>     >>>
>      <CABa8R6s0bfs87Fu9eOq_R3WH1pngauVXrw3RSPe9iWWCtf3AmQ@mail.gmail.com
>     <mailto:CABa8R6s0bfs87Fu9eOq_R3WH1pngauVXrw3RSPe9iWWCtf3AmQ@mail.gmail.com>>
>     >>>  <c954eadd-5c85-c0d9-2168-8a42de506b72@mtcc.com
>     <mailto:c954eadd-5c85-c0d9-2168-8a42de506b72@mtcc.com>>
>     >>>
>      <CABa8R6swzAQLPU=xE2tr1W0J5r+w80BSYu87_ubMwHaUMgmKvA@mail.gmail.com
>     <mailto:xE2tr1W0J5r%2Bw80BSYu87_ubMwHaUMgmKvA@mail.gmail.com>>
>     >>>  <1eed8278-4efa-4abc-15e0-2efcf014e82e@mtcc.com
>     <mailto:1eed8278-4efa-4abc-15e0-2efcf014e82e@mtcc.com>>
>     >>>
>      <CABa8R6sEk+dHwHjBCKDgcmeT_Z3FymC5+jzy-GGa=7gJYvOf5A@mail.gmail.com
>     <mailto:7gJYvOf5A@mail.gmail.com>>
>     >>>  <446d491b-100a-9813-6463-2294f67bbda7@mtcc.com
>     <mailto:446d491b-100a-9813-6463-2294f67bbda7@mtcc.com>>
>     >>>  <aafa5e78-aff9-8076-b76f-62f5b3a13fc1@taugh.com
>     <mailto:aafa5e78-aff9-8076-b76f-62f5b3a13fc1@taugh.com>>
>     >>>  <4190de2d-9f17-06d5-6354-30c989eecd4a@mtcc.com
>     <mailto:4190de2d-9f17-06d5-6354-30c989eecd4a@mtcc.com>>
>     >>>  <17d886fd-49fd-28d8-f8e4-7caf2e85919c@taugh.com
>     <mailto:17d886fd-49fd-28d8-f8e4-7caf2e85919c@taugh.com>>
>     >>>  <f785884b-2a3d-a6fe-6bb6-ee792d23ff23@mtcc.com
>     <mailto:f785884b-2a3d-a6fe-6bb6-ee792d23ff23@mtcc.com>>
>     >>>  <d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com
>     <mailto:d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com>>
>     >>> From: Michael Thomas <mike@mtcc.com <mailto:mike@mtcc.com>>
>     >>> Message-ID: <8bc3c7ad-2a42-3eed-524c-8c50b16131c2@mtcc.com
>     <mailto:8bc3c7ad-2a42-3eed-524c-8c50b16131c2@mtcc.com>>
>     >>> Date: Wed, 2 Dec 2020 15:30:01 -0800
>     >>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0)
>     >>>  Gecko/20100101 Thunderbird/78.5.0
>     >>> MIME-Version: 1.0
>     >>> In-Reply-To: <d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com
>     <mailto:d5e9dbe-7d83-d3b1-2aa9-3e3562d3e75@taugh.com>>
>     >>> Content-Type: text/plain; charset=utf-8; format=flowed
>     >>> Content-Transfer-Encoding: 8bit
>     >>> Content-Language: en-US
>     >>
>     >>
>     >
>     > Regards,
>     > John Levine, johnl@taugh.com <mailto:johnl@taugh.com>, Primary
>     Perpetrator of "The Internet for
>     > Dummies",
>     > Please consider the environment before reading this e-mail.
>     https://jl.ly <https://jl.ly>
>
>     _______________________________________________
>     dmarc mailing list
>     dmarc@ietf.org <mailto:dmarc@ietf.org>
>     https://www.ietf.org/mailman/listinfo/dmarc
>     <https://www.ietf.org/mailman/listinfo/dmarc>
>