Re: [dmarc-ietf] Feedback on draft-ietf-dmarc-psd-02
Scott Kitterman <sklist@kitterman.com> Fri, 12 April 2019 02:57 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ED001204D6 for <dmarc@ietfa.amsl.com>; Thu, 11 Apr 2019 19:57:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=76MnHeJc; dkim=pass (2048-bit key) header.d=kitterman.com header.b=YnhtONef
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TRfa0ZLShHwn for <dmarc@ietfa.amsl.com>; Thu, 11 Apr 2019 19:57:37 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CB691204AD for <dmarc@ietf.org>; Thu, 11 Apr 2019 19:57:37 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 153ABF807D9 for <dmarc@ietf.org>; Thu, 11 Apr 2019 22:57:36 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1555037855; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=5U5Lj4bBLp9yv26Z6ViR944EJeOdKaICn/jW1w79kPA=; b=76MnHeJcoYBqI3AJzvQDj05BfSQd4ta7S+9EFS7KRraP/FnS2OFtuVlL l+J61sNUQLi8WlXdmXP+EkdlAgDuDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1555037855; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=5U5Lj4bBLp9yv26Z6ViR944EJeOdKaICn/jW1w79kPA=; b=YnhtONefCKb6rd65y6hYnexgIh/niI3nhBDS5ukbrXxd+TL2RC6A4Lrh 8dLErq6buMlFKTKHbjS0+fP+qDn+KDGyNrkkDQ0PdnhD2uAfgdsoGCVZNc DfDaxDeL4yNoPXWIXYE8sCZAPz+8BgU1JqtnrNpLEM3LUrAVE+CLe/SLiP YaYri0dyfOhYuP6O8peWBPZusmwL4niuIZRTJ/KTRBb66q+tCVUYIHkzNK HLRGclwNWSIf6v11gPjWeNZB9WlANbzoBmdXXQwQYTyZ2zuZRrXotdCihW luuIbqnjsi0E+Z1toMBU7k0z1KVaarkF9BHAhIjanclRzNQAM07feg==
Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id B9DDEF8038A for <dmarc@ietf.org>; Thu, 11 Apr 2019 22:57:35 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Thu, 11 Apr 2019 22:57:34 -0400
Message-ID: <2560485.41NbCdns5Z@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-164-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <CABuGu1oE+W7_==GxG0Qmo9WxcPWm5in50EZwU+kSEJ4a0=QZzA@mail.gmail.com>
References: <CABuGu1oE+W7_==GxG0Qmo9WxcPWm5in50EZwU+kSEJ4a0=QZzA@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/uVE95PPstSAutaW0uaHvaRC4wHU>
Subject: Re: [dmarc-ietf] Feedback on draft-ietf-dmarc-psd-02
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 02:57:39 -0000
On Thursday, April 11, 2019 03:33:34 PM Kurt Andersen wrote: > Firstly, just a nit, but section 4.1 introduces a new abbreviation in the > last bullet point: "PSDo". I suspect that this should be PSO for > consistency. Agreed. Thinko on my part. Fixed for the next revision. > More substantively, in Appendix A, the case is being advanced for "concerns > associated with Multi-organization PSDs that do not mandate DMARC usage". > I'm not sure why "multi-organization" is an appropriate qualifier, nor as > to what mandated DMARC usage has to do with any of the privacy concerns. > Neglected DMARC usage is what leads to the spillage up to the PSD level. > Even within a single organization there may be serious privacy walls which > need to be respected between different sub-portions of the org - which may > or may not be represented in a DNS hierarchy. When you say "Neglected DMARC usage", it gives the impression that you think not participating in DMARC is somehow negligent. It's not. It's not even an IETF RFC of any kind. DMARC is opt-in. PSD DMARC is opt-in for PSOs, but not for lower level organizations. When an organization is involuntarily subject to having details of it's email activity mailed to an entity which it has not authorized to get it, that's the very definition of a privacy breach. For single entity PSDs, the decision to participate in PSD DMARC and receive feedback is approximately identical to the decision for non-PSO organizations to participate in DMARC with their organizational domains. Yes, their can be sensitivities within an organization, but they have a common management to determine how to address those issue. The Internet doesn't have to do it for them. For multi-entity PSDs, there is no common management among the organizational domains, so it is a different situation. Where DMARC is already required within a PSD, compliant organizations have already opted-out of PSD DMARC, so the privacy breach potential is, I argue, effectively mitigated. Where DMARC is not required (approximately everywhere today), that's not the case and I feel pretty strongly there's an issue we have to address. > I've read through the breakdown in section 4.1, but I think that it is > incomplete - largely on the terms mentioned above. Also, the claim that > reports on cousin domains would be sent to the [right] PSO ignores the risk > of the PSD itself being the cousin attack point. After all if a domain > doesn't exist, one may as well start from the top :-) OK. If this discussion helps you understand where I'm coming from, I'd appreciate suggestions on text to make it clearer in the document. > I think it would be more effective to add an anti-RUF requirement to the > implementation of this spec - such that no RUF reports would be sent, > regardless of the record which is published by the PSD. Since very few > providers even support RUF at all, this does not seem to be a big ask, > although it does require some additional logic. The privacy risk is > primarily related to RUF, not RUA reports so blocking RUF could (IMO) > effectively mitigate the perceived risk of the PSD records while still > allowing the DMARC validation protection. I think adding a MUST NOT regarding RUF is a good idea. I added this to the draft for the next revision in the section about RFC 7489 Section 7: [RFC7489] Section 7.3 Failure Reports MUST NOT be sent for PSD DMARC. I don't think eliminating RUF reports is nearly sufficient. While the content of the RUA reports is certainly much less sensitive than the content of the RUF reports, they are still privacy sensitive. As an exercise, I've reviewed my own domain's RUA reports and explored what conclusions I could draw from them. I concluded it was enough that they are still privacy sensitive, much more so for small domains than large ones since patterns of individual users will be more obvious. Consider, as a scenario, the ccTLD operator of an oppressive nation state reviewing RUA reports and then passing on information to the national police when they see indications someone in a domain has been communicating with human rights activists. The 'law' enforcement agency can then require details from the domain owner to determine who the individual in question is. Yes, there are other ways this could be done, but I don't think we should make things like this easier. This is well within the scope of attacks described by RFC 7258. It's a BCP to mitigate such attacks. I don't think leaving them unmitigated is acceptable. Scott K
- [dmarc-ietf] Feedback on draft-ietf-dmarc-psd-02 Kurt Andersen
- Re: [dmarc-ietf] Feedback on draft-ietf-dmarc-psd… Scott Kitterman
- Re: [dmarc-ietf] Feedback on draft-ietf-dmarc-psd… Seth Blank
- Re: [dmarc-ietf] Feedback on draft-ietf-dmarc-psd… Scott Kitterman
- Re: [dmarc-ietf] Feedback on draft-ietf-dmarc-psd… Kurt Andersen (b)
- Re: [dmarc-ietf] Feedback on draft-ietf-dmarc-psd… Scott Kitterman