IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Seth Blank <seth@sethblank.com> Fri, 27 July 2018 17:54 UTC

Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6734F131050 for <dmarc@ietfa.amsl.com>; Fri, 27 Jul 2018 10:54:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ggwHZLSO0YI for <dmarc@ietfa.amsl.com>; Fri, 27 Jul 2018 10:54:26 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C315D130F41 for <dmarc@ietf.org>; Fri, 27 Jul 2018 10:54:26 -0700 (PDT)
Received: by mail-oi0-x229.google.com with SMTP id l10-v6so10542403oii.0 for <dmarc@ietf.org>; Fri, 27 Jul 2018 10:54:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ZGFgg+G0zwGoq4R2493HJdTtiB4G9BWVnPEQ/sOs4w4=; b=K7mjA5HSVBLvVfR5GANxfBkjgOmOVRqphXS90ALSXvfLq1lFLg+5lZCQMdNrRLhbec e4r59avncV+IkOMkvQZCpnCw8x734RdaE4YmGeuQznU/2rk/ZjDwArQ+yXs1xW40Xdmp GjTdCso3+IdyoszkjLlixiDZX2UqBLYyCw3oLFiewKbKL9QMqjIBXMBm2JlJOQBGALyU TntVMEYpvQ638zt/02FgCFbR9sX6YeW4g+88jSzEsccJgstnmTEntrIerYFr3DIKr4Oi 5O5cl8YAaH2QWjHFqP6YHLHCyNDltpF3LiF+p+9UwzJ6GMh8VfUju/0XTmUijHOIJWRo qQZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ZGFgg+G0zwGoq4R2493HJdTtiB4G9BWVnPEQ/sOs4w4=; b=Q5Hzja7I2UqdPGFU2RwGnL5UKC2+Wv2OyD8/7XBt5EV0CTs5V/VCkVv4ogCE6+m/mm 0gSnsH5cuUgqtq+/rWw/iwc2pCofqy+RjK19s9J4d/f8AI4OsiotEOmHYN7vMYBRccaJ Bnj61rO/Z3WJnDHfoq621w9MNilNvmYjnRyP2ob8Q2W8U8EktBlf8hLMu2mJszzWaxM8 CDt67Kh3mljm5DSQKcxhe8zj3FvGmtrnwa1SHaojVf8pbER/Emj96SWVzaf/tn9iBnYx li7HRPTkz3fkI7McZmxP3sN+fjPyE2zJfkqv2WPuGBAqdYt/hEfsNv+XyhCa+2eQ0mxU 2n5w==
X-Gm-Message-State: AOUpUlGMt8n5ZZmskHiQgq6FMH5Fpby80DY4/oNm9kJluQdQwE0Yp6wK VNpzpGXUtIXb9vv3GvJkgTDKeB0+aJFmSUbe9tNK+z+D68g=
X-Google-Smtp-Source: AAOMgpeoLedbn4jNxv0Tx7RSOlaj5+wTt1CbtNrK53EXwyC27ZmqWHjr8HdkWXF87r46BrFR594btyA56yyHnZt1bY4=
X-Received: by 2002:aca:b355:: with SMTP id c82-v6mr7993446oif.9.1532714065694; Fri, 27 Jul 2018 10:54:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:2646:0:0:0:0:0 with HTTP; Fri, 27 Jul 2018 10:54:05 -0700 (PDT)
In-Reply-To: <CAL0qLwbL-oFuoyY65jH4ddyuGd6THYeFdQwyWC9f-dOpr_CN6A@mail.gmail.com>
References: <CAD2i3WMMJPaZYonS-qcz8pwOKYmS2Xe+8WBZPuAqjiGoYePzSg@mail.gmail.com> <CAL0qLwapyX3U=0OqQWzx+dDELn3W0v=N_HyzDnSw49oWQ+SE5Q@mail.gmail.com> <CAD2i3WN90JSS8pzgRxrbokuKmhZaLUrimYRWqkZwzVDBxTczng@mail.gmail.com> <CAL0qLwZ_uPh5iPkS7MKzDp3x=dAgn-hmsEunccDc3Hj2bsphpQ@mail.gmail.com> <CAD2i3WM99Yy6Y=BQE4dC=Ffm7J32My160Xdm2oxXC50Au9tXoA@mail.gmail.com> <CAL0qLwbL-oFuoyY65jH4ddyuGd6THYeFdQwyWC9f-dOpr_CN6A@mail.gmail.com>
From: Seth Blank <seth@sethblank.com>
Date: Fri, 27 Jul 2018 10:54:05 -0700
Message-ID: <CAD2i3WONSEJF+yrtzRD2hJYQJjwpaCOAFiUpRWjJyYrYSpK3-Q@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d9d4e0571fecdef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/vZlCi0Gl_NPgaUIRulpk3en59K0>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 17:54:30 -0000

On Fri, Jul 27, 2018 at 10:39 AM, Murray S. Kucherawy <superuser@gmail.com>
wrote:
>
> But (and I think this proves my point) I don't know if "cv=fail" refers to
> an invalid chain or a failed chain.  I have to run the verification to
> figure that out.  But you're saying you just stop when you see "cv=fail".
>
> I remain confused.
>

I don't understand what you're exploring. The algorithm in
https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-16#section-5.2 is
clear and the separate paths you're describing don't factor it.

On validation, you grab the highest instanced ARC set (step 1), and then
start a process to set the chain validation status of the inbound ARC Chain.

If the highest instanced ARC Set has cv=fail in it, you're done (step 2).
No cryptographic checks have even been performed at this point, because in
either scenario the chain is dead. If the AS validates and you have
cv=fail, then the chain state is fail. If the AS does not validate, then
the chain state is fail.

Crypto isn't checked until step 3, and we never get there. If you're doing
analysis and want to understand what caused the chain to fail, you're now
outside of validation and outside of matters that affect interoperability.

Or am I still misunderstanding what you're getting at?

v2.23.0 | Report a Bug | By Email