Re: [dmarc-ietf] Fwd: Priming the Pump for Discussion - Ratchets
Barry Leiba <barryleiba@computer.org> Wed, 21 July 2021 19:00 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F073A25CF for <dmarc@ietfa.amsl.com>; Wed, 21 Jul 2021 12:00:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I89KHhBrmjUz for <dmarc@ietfa.amsl.com>; Wed, 21 Jul 2021 12:00:38 -0700 (PDT)
Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B5373A26A1 for <dmarc@ietf.org>; Wed, 21 Jul 2021 12:00:27 -0700 (PDT)
Received: by mail-lf1-f44.google.com with SMTP id y42so4715310lfa.3 for <dmarc@ietf.org>; Wed, 21 Jul 2021 12:00:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KknaKavPl63u5u5BJlXp7DPl27/iq2od+2d3/Q1uAro=; b=LfJzQ8E6SB8gLFZ70ewAYhy+b9qJvKci9f14S5m1VR9Vjt5CYw7TJQEhkDbLlq87/3 fexwRue1/H/UNXpXbtI5dGCeG3LTIKAGHMXO7rYVpwtNOWQIFV0gvsiTDWXveoBIwqP3 GWJOu8FwycRWI1iX03avZT6HdqojKiZSDwxLkMjyMjx+hNcBWfrIYBH7J/Bo0AxXEDRb RUq4KUm2pjob2GeLX8ZWge3Ow8+f4fAMVyYixHXNQmUfP8LDHy2WKk22HOC+LjrLTHKh jr5KagWlzBaXKxSelGLFZ37wRTmfv7vEiTvzjFhaBzqttcdKn8BrYpfIYXc5v9QW/wgk Rgqw==
X-Gm-Message-State: AOAM530zuTEd3YOQL5NCqlIG3gRoGeYo8RfEiDxqLqCrfycIKR6a71Rq XaNd5awBXZBHc0rPVnbAXG8xRjaEGyPT59uMnE4=
X-Google-Smtp-Source: ABdhPJx9o49QF98VrNLbwXM4Z7fHNWV4pKrTQOp6h1I53m4PFTHUUAga4/Cc4vdmvGk3p8XpMTKYWu2aGymlxX70AmA=
X-Received: by 2002:ac2:44ad:: with SMTP id c13mr25788595lfm.377.1626894024208; Wed, 21 Jul 2021 12:00:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8=yvgXP2WgHayhGU2Hg2E0RcNgZBFjfw1cM-qKWkTG-+w@mail.gmail.com> <d80b0a14-0f4d-8266-8d42-8d9a6b02413d@tana.it> <CAH48ZfyLvECR_nwLmw6R6RnE4EZa8g_i7MJaF32d2qk4RBCKRA@mail.gmail.com> <1E1F7937-AFEC-4F5A-8A5A-229A99C94E8B@bluepopcorn.net> <CAH48ZfyTm1PSANTUmnqOy3aeiW4JHGbTsQ-m9xtSW9zFaCUZQA@mail.gmail.com> <CAH48ZfzEWaFPUG4Gfc2ckpyUEq-8L9kEZZv+LwqJcW88=0y6=w@mail.gmail.com> <CALaySJJ2ZFML2neecfgAhvfk_1EuMNGw6DwchLmmWWpbDJC+Zw@mail.gmail.com> <CAH48ZfxELhp+fHujdZzDADGz4MNoWsJLB7cU1d1cW065Xu8YBQ@mail.gmail.com>
In-Reply-To: <CAH48ZfxELhp+fHujdZzDADGz4MNoWsJLB7cU1d1cW065Xu8YBQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Wed, 21 Jul 2021 15:00:12 -0400
Message-ID: <CALaySJ+5i6vcii=YTTMQbr5gcdNSmOjNDp6ox8nK+izJDAe2_A@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/vPcrUQHJ083qjxfVS-D6jjSO44U>
Subject: Re: [dmarc-ietf] Fwd: Priming the Pump for Discussion - Ratchets
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2021 19:00:47 -0000
>> I don't agree with the characterization of the second group. I would >> say that we are partitioning messages into these two groups: >> - Those for which we can confirm that they originated in the domain >> they say they did. >> - Those for which we can not confirm that. > > When we use P=REJECT, we assert that anything which cannot be > confirmed is unacceptable. That makes for two pretty disjoint > groups. If Authentication is only to be used to validate a > whitelisting decision, then a one-sided test would be sufficient. In > practice, the primary use for DMARCv1 is to block messages, and much > of our discussion has been around the unwanted disposition that this > places on mailing lists. Indeed; there is definitely a problem between DMARC's p=reject and mailing lists. > DKIM treats an invalid signature as non-existent. It also treats a > DKIM signature as fully optional. DMARCv1 changes the rules to > gather more usable information from the message. DMARCv1 with > P=REJECT says that a message which lacks authentication is > unacceptable, and since any message might be forwarded, it has > effectively made DKIM non-optional.. So we have already modified the > interpretation of DKIM. Here, again, I disagree with your premise: we have not modified the interpretation of DKIM. Senders still decide whether to sign with DKIM or not, and you're correct that it's a poor quality deployment to use p=reject (or even quarantine) without also deploying DKIM signing. But the interpretation has not changed: a valid DKIM signature still means the same as it always did, and the absence of a valid DKIM signature still means the same as well. We have not created -- and must not create -- an additional state that has been proscribed for a number of good reasons. > I have observed that IF the domain owner indicates that all messages > originate with DKIM signatures, then the presence of a signature is no > longer optional at the evaluation point. As I have said previously, > this provides a valid basis for partitioning messages between > verified, ambiguous, and repudiated. If you accept the premise that > mailing list messages should not always be repudiated, then nothing we > have done up to this point has provided a reliable way to repudiate. > I am saying that this is a problem that we can fix. It does not provide such a valid basis. With your proposal, any attacker can move her message from "repudiated" to "ambiguous" simply by attaching a fake DKIM signature that she knows will never validate. That alone is a reason this plan won't work. > Yes, I have gone radical, and I am no longer willing to be limited by > the design limitations of DMARCv1. I think that's a fine approach, but it has to come with proposals that do not violate the other protocols that we're relying on. Barry
- [dmarc-ietf] Priming the Pump for Discussion - Ra… Todd Herr
- Re: [dmarc-ietf] Priming the Pump for Discussion … Dilyan Palauzov
- Re: [dmarc-ietf] Priming the Pump for Discussion … Alessandro Vesely
- Re: [dmarc-ietf] Priming the Pump for Discussion … John Levine
- Re: [dmarc-ietf] Priming the Pump for Discussion … Douglas Foster
- Re: [dmarc-ietf] Priming the Pump for Discussion … Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Todd Herr
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Douglas Foster
- Re: [dmarc-ietf] Priming the Pump for Discussion … Steven M Jones
- Re: [dmarc-ietf] Priming the Pump for Discussion … John Levine
- Re: [dmarc-ietf] Priming the Pump for Discussion … Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Todd Herr
- Re: [dmarc-ietf] Priming the Pump for Discussion … Jim Fenton
- Re: [dmarc-ietf] Priming the Pump for Discussion … Jim Fenton
- [dmarc-ietf] Fwd: Priming the Pump for Discussion… Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Douglas Foster
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Barry Leiba
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dotzero
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Benny Pedersen
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dotzero
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 tjw ietf
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Laura Atkins
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Steve Siirila
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Laura Atkins
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Laura Atkins
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Matthäus Wander
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Дилян Палаузов
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… John R Levine
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Benny Pedersen
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Douglas Foster
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… John Levine