IETF Logo Mail Archive

Re: [dmarc-ietf] Fwd: Priming the Pump for Discussion - Ratchets

Barry Leiba <barryleiba@computer.org> Wed, 21 July 2021 19:00 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F073A25CF for <dmarc@ietfa.amsl.com>; Wed, 21 Jul 2021 12:00:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.65
X-Spam-Level:
X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I89KHhBrmjUz for <dmarc@ietfa.amsl.com>; Wed, 21 Jul 2021 12:00:38 -0700 (PDT)
Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B5373A26A1 for <dmarc@ietf.org>; Wed, 21 Jul 2021 12:00:27 -0700 (PDT)
Received: by mail-lf1-f44.google.com with SMTP id y42so4715310lfa.3 for <dmarc@ietf.org>; Wed, 21 Jul 2021 12:00:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KknaKavPl63u5u5BJlXp7DPl27/iq2od+2d3/Q1uAro=; b=LfJzQ8E6SB8gLFZ70ewAYhy+b9qJvKci9f14S5m1VR9Vjt5CYw7TJQEhkDbLlq87/3 fexwRue1/H/UNXpXbtI5dGCeG3LTIKAGHMXO7rYVpwtNOWQIFV0gvsiTDWXveoBIwqP3 GWJOu8FwycRWI1iX03avZT6HdqojKiZSDwxLkMjyMjx+hNcBWfrIYBH7J/Bo0AxXEDRb RUq4KUm2pjob2GeLX8ZWge3Ow8+f4fAMVyYixHXNQmUfP8LDHy2WKk22HOC+LjrLTHKh jr5KagWlzBaXKxSelGLFZ37wRTmfv7vEiTvzjFhaBzqttcdKn8BrYpfIYXc5v9QW/wgk Rgqw==
X-Gm-Message-State: AOAM530zuTEd3YOQL5NCqlIG3gRoGeYo8RfEiDxqLqCrfycIKR6a71Rq XaNd5awBXZBHc0rPVnbAXG8xRjaEGyPT59uMnE4=
X-Google-Smtp-Source: ABdhPJx9o49QF98VrNLbwXM4Z7fHNWV4pKrTQOp6h1I53m4PFTHUUAga4/Cc4vdmvGk3p8XpMTKYWu2aGymlxX70AmA=
X-Received: by 2002:ac2:44ad:: with SMTP id c13mr25788595lfm.377.1626894024208; Wed, 21 Jul 2021 12:00:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8=yvgXP2WgHayhGU2Hg2E0RcNgZBFjfw1cM-qKWkTG-+w@mail.gmail.com> <d80b0a14-0f4d-8266-8d42-8d9a6b02413d@tana.it> <CAH48ZfyLvECR_nwLmw6R6RnE4EZa8g_i7MJaF32d2qk4RBCKRA@mail.gmail.com> <1E1F7937-AFEC-4F5A-8A5A-229A99C94E8B@bluepopcorn.net> <CAH48ZfyTm1PSANTUmnqOy3aeiW4JHGbTsQ-m9xtSW9zFaCUZQA@mail.gmail.com> <CAH48ZfzEWaFPUG4Gfc2ckpyUEq-8L9kEZZv+LwqJcW88=0y6=w@mail.gmail.com> <CALaySJJ2ZFML2neecfgAhvfk_1EuMNGw6DwchLmmWWpbDJC+Zw@mail.gmail.com> <CAH48ZfxELhp+fHujdZzDADGz4MNoWsJLB7cU1d1cW065Xu8YBQ@mail.gmail.com>
In-Reply-To: <CAH48ZfxELhp+fHujdZzDADGz4MNoWsJLB7cU1d1cW065Xu8YBQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Wed, 21 Jul 2021 15:00:12 -0400
Message-ID: <CALaySJ+5i6vcii=YTTMQbr5gcdNSmOjNDp6ox8nK+izJDAe2_A@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/vPcrUQHJ083qjxfVS-D6jjSO44U>
Subject: Re: [dmarc-ietf] Fwd: Priming the Pump for Discussion - Ratchets
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jul 2021 19:00:47 -0000

>> I don't agree with the characterization of the second group.  I would
>> say that we are partitioning messages into these two groups:
>> - Those for which we can confirm that they originated in the domain
>> they say they did.
>> - Those for which we can not confirm that.
>
> When we use P=REJECT, we assert that anything which cannot be
> confirmed is unacceptable.   That makes for two pretty disjoint
> groups.   If Authentication is only to be used to validate a
> whitelisting decision, then a one-sided test would be sufficient.   In
> practice, the primary use for DMARCv1 is to block messages, and much
> of our discussion has been around the unwanted disposition that this
> places on mailing lists.

Indeed; there is definitely a problem between DMARC's p=reject and
mailing lists.

> DKIM treats an invalid signature as non-existent.   It also treats a
> DKIM signature as fully optional.   DMARCv1 changes the rules to
> gather more usable information from the message.    DMARCv1 with
> P=REJECT says that a message which lacks authentication is
> unacceptable, and since any message might be forwarded, it has
> effectively made DKIM non-optional..  So we have already modified the
> interpretation of DKIM.

Here, again, I disagree with your premise: we have not modified the
interpretation of DKIM.  Senders still decide whether to sign with
DKIM or not, and you're correct that it's a poor quality deployment to
use p=reject (or even quarantine) without also deploying DKIM signing.
But the interpretation has not changed: a valid DKIM signature still
means the same as it always did, and the absence of a valid DKIM
signature still means the same as well.  We have not created -- and
must not create -- an additional state that has been proscribed for a
number of good reasons.

> I have observed that IF the domain owner indicates that all messages
> originate with DKIM signatures, then the presence of a signature is no
> longer optional at the evaluation point.    As I have said previously,
> this provides a valid basis for partitioning messages between
> verified, ambiguous, and repudiated.   If you accept the premise that
> mailing list messages should not always be repudiated, then nothing we
> have done up to this point has provided a reliable way to repudiate.
> I am saying that this is a problem that we can fix.

It does not provide such a valid basis.  With your proposal, any
attacker can move her message from "repudiated" to "ambiguous" simply
by attaching a fake DKIM signature that she knows will never validate.
That alone is a reason this plan won't work.

> Yes, I have gone radical, and I am no longer willing to be limited by
> the design limitations of DMARCv1.

I think that's a fine approach, but it has to come with proposals that
do not violate the other protocols that we're relying on.

Barry

v2.23.0 | Report a Bug | By Email