Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
Dave Crocker <dcrocker@gmail.com> Sun, 19 July 2020 15:04 UTC
Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37F183A0953 for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 08:04:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfnbtSWnQd9t for <dmarc@ietfa.amsl.com>; Sun, 19 Jul 2020 08:04:18 -0700 (PDT)
Received: from mail-ot1-x343.google.com (mail-ot1-x343.google.com [IPv6:2607:f8b0:4864:20::343]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED0CA3A094B for <dmarc@ietf.org>; Sun, 19 Jul 2020 08:04:17 -0700 (PDT)
Received: by mail-ot1-x343.google.com with SMTP id 5so10272072oty.11 for <dmarc@ietf.org>; Sun, 19 Jul 2020 08:04:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=INU0RQtCuXBc7V3VRIUBDx395dSz19KLyQl6K8d55w8=; b=Sj5PAWcgfbllS1pwU+NF7jzpkIZazpRrjWehP11xlLjpgrz9uAWBnKrrBk3gUGy2/y 8pBOJKvrC6xJDO2FgJCYnzTYlz5EMr7fNvZMjeiZCFUfC5wpDKEQcGVJaiW1pwibl3H+ aHtf+WLh7/rFWVNaEHRdJe4kO5WVBUotbm00gXyEiOX+mERzD/7LiAEmakqqANMSS7dq cEFofx/Yzh0LicEokCGHQYKJOZBsSWBsQvp3a+6QoDRz+pZPmhLuZ9c+acctAlJphCOV IZtcpd0lQpSpjyS6+ntvC20UIG9QWbIPp00bvvLKcy1EpNLOM3Oj3KymtQ7I5wQ/Hf6W Ka2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=INU0RQtCuXBc7V3VRIUBDx395dSz19KLyQl6K8d55w8=; b=CrROWRprTyRxxY0I0QKE9aWWZ3TAh9fbkkYresuYv4aFrfrf/PKQ4vcCW/3UYxOA7Q 7svOnTspVL0ATO/C7MmwqvOS2UDP52W3KCYC2PhBTi5qTah1GhvhbaP8gvbJqIq0k0b8 WLo95wcTBMOQlFzf1aMLSMWTdZ+CpMQbFYPKepyWM3utMAY83bHeBStZrfcUP9RW9xqZ zX5Kb+8sN63ajjqwdHbLCopacPJ7fqltuv4at6skgagbs9WoqxgEBYFtfQTr8FbUHl3l E74JCoamYN6welwHWLZsxI1XWjJMs98JIzSUZmkINmjlUnGZ+R9Tts1NwJUdtsJ51cfh RP3A==
X-Gm-Message-State: AOAM532DhD4BOVosMVJxKW0CsMP69rroBlWALqxSSOYevJnvA965HCBV iMOwdgIz8vfKnLJOZ2YnRkk1SEziy80=
X-Google-Smtp-Source: ABdhPJzkxLEyEf0iNSxIkr6As96LZb2ubNXLmSePRiUUMLzACzmhXmfjt2JnTDhsxCMStfWsUe/d+Q==
X-Received: by 2002:a9d:7515:: with SMTP id r21mr16484514otk.208.1595171057065; Sun, 19 Jul 2020 08:04:17 -0700 (PDT)
Received: from ?IPv6:2600:1700:a3a0:4c80:fc69:4fcf:5c0d:166? ([2600:1700:a3a0:4c80:fc69:4fcf:5c0d:166]) by smtp.gmail.com with ESMTPSA id h22sm3516760oos.48.2020.07.19.08.04.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 19 Jul 2020 08:04:16 -0700 (PDT)
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <cd9258e6-3917-2380-dd9b-66d74f3a64d3@gmail.com> <20200717210053.674D61D2C431@ary.qy> <CAL0qLwbkhG-qUyGqxaEjcFn2Lb7wPMhcPFEMA8eqptBJpePPxA@mail.gmail.com> <8efcf71c-f841-46a4-10b7-feb41a741405@gmail.com> <CAL0qLwbK7GQXkiS+H8GtsvHMzWr4o431Shc7Cc9MhqsTiHfzFw@mail.gmail.com>
From: Dave Crocker <dcrocker@gmail.com>
Message-ID: <bc7ed18c-8f1d-b41b-0a4b-3aa180a63563@gmail.com>
Date: Sun, 19 Jul 2020 08:04:14 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CAL0qLwbK7GQXkiS+H8GtsvHMzWr4o431Shc7Cc9MhqsTiHfzFw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------7666BA205D57982DDC2FC578"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/tWo_SunbuUbxq71uL6GHRJbsMzI>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2020 15:04:19 -0000
On 7/18/2020 9:23 PM, Murray S. Kucherawy wrote: > On Sat, Jul 18, 2020 at 6:32 PM Dave Crocker <dcrocker@gmail.com > <mailto:dcrocker@gmail.com>> wrote: > > If end users do not reliably make trust decisions based on /any/ > of the > information in the rfc5322.From field, then how is this question > important. It seems to be seeking precise data about something that > isn't even secondary. > > > Google strikes me as the kind of place that would make a decision > about what to show users based on Perhaps, but since we don't have their data and we don't have their decision-criteria -- which might be quite different from what is needed here -- then it's probably a good idea not to make assumptions about the utility, nor to put all of the human factors marbles in the google camp. > I'm less convinced by the notion that all of the RFC5322.From is > disregarded by the preponderance of users when deciding what level of > trust to put in the message's content. That suggests we blindly open > and read absolutely everything, and I suspect that isn't the case. 1. That's not what it suggests, at all 2. No doubt there is a better way to put this, but I'm not thinking of it, and this isn't just my second thought on the challenge, but quite a bit more than that: This demonstrates why the IETF is a very poor venue for conducting human factors discussions. Again: There is quite a bit of experience demonstrating that providing trust indicators to end users does not produce reliable -- ie, useful -- decision-making by end users. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- [dmarc-ietf] Response to a claim in draft-crocker… Kurt Andersen (IETF)
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker on behalf of Kurt Andersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] no from addresses nowhere, Respo… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Doug Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- [dmarc-ietf] DMARC marketing Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] DMARC marketing Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker