Re: [dmarc-ietf] ARC-Seal is meaningless security theatre

Bron Gondwana <brong@fastmailteam.com> Sat, 19 August 2017 07:48 UTC

Message-Id: <1503128933.2760522.1078309768.4D8C11C9@webmail.messagingengine.com>
From: Bron Gondwana <brong@fastmailteam.com>
To: dmarc@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_150312893327605220"
Date: Sat, 19 Aug 2017 17:48:53 +1000
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <166070f0-4ba1-70da-1f73-885b4a7f7640@gmail.com> <1502497178.4103451.1070917304.23DD466D@webmail.messagingengine.com> <598F9484.7020700@isdg.net> <CABuGu1p=oLfLRkuoaDHoz3Cv3_FrURdsFPzkac7jNzBpqBmiSg@mail.gmail.com> <599484FB.9050908@isdg.net> <1502929303.4038704.1075868960.5D80A788@webmail.messagingengine.com> <5997DBA6.3080701@isdg.net>
In-Reply-To: <5997DBA6.3080701@isdg.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/vazEFDIjxEaEq8RLuv6_nzUNjX0>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Precedence: list

On Sat, 19 Aug 2017, at 16:33, Hector Santos wrote:
> On 8/16/2017 8:21 PM, Bron Gondwana wrote:
>> On Thu, 17 Aug 2017, at 03:46, Hector Santos wrote:
>>> On 8/13/2017 10:28 AM, Kurt Andersen (b) wrote:
>>> 
>>>   On Sat, Aug 12, 2017 at 4:51 PM, Hector Santos wrote:
>>> 
>>>     If we even have a DMARC ARC Policy concept, than that may be
>>>     enough to begin pursuing the high cost of experimentation and
>>>     development here.
>>> 
>>> 
>>>   Beyond the protocol and usage specs, what are you looking for?
>>> 
>>> 
>>> A practical purpose for supporting (implementing) this work.   It
>>> appears ARC wants the network to stamp mail "blindly" as the mail
>>> travels from point to point.  I am trying to grasp how it helps
>>> resolve the main issue with "unauthorized" indirect 3rd party
>>> signatures, in particular when dealing with strong, exclusive DKIM
>>> signature policy models such as DMARC p=reject.
>> 
>> We spent a while thinking about this (Neil and myself from FastMail)>> at IETF99 after learning how ARC works, and came to the conclusion
>> that ARC as specified can't help with DMARC p=reject.
>> 
>> The only way you could even hope (as a mailing list) to avoid
>> rewriting the sender is for every site that currently has DMARC
>> p=reject to change that to a new policy which explicitly means "only>> reject if no ARC chain" - otherwise you can't stop rewriting sender
>> until you know that every receiver on your list is ARC-aware.
> 
> The MLS (Mail List Server) cam also reject submissions from
> restrictive (p=reject) domains because that MAY be the intent of the
> originating author domain.   The MLS can so prohibit new subscriptions> by verifying the user's domain is not restrictive.
> 
> We need more protocol information from what extracted from DMARC.  As> I see it, these are some of the boundary conditions:
> 
>     DMARC p=reject;  arc=none;       ignore ARC, same as no arc= tag
>     DMARC p=reject;  arc=all;        reject if any arc seals is
>     invalid>     DMARC p=reject;  arc=first;      don't reject if first arc seal is> valid
>     DMARC p=reject;  arc=last;       don't reject if last arc seal is> valid
>     DMARC p=reject;  arc=first,last; don't reject if first and last
> arc seals are valid

For what it's worth, the ONLY one of these which my "fake Brandon" email
would have failed to validate for is p=reject, arc=none.  A chain of
valid ARC seals is so easy to fraudulently create that it's not funny.
Everything other than arc=all there is totally pointless - if you can
intercept and modify email, you can easily add ARC headers that maintain
a complete chain is seals.
Now arc=site2.com,site3.com,site4.com - that's valuable.  You could say
"only allow ARC through the following intermediate domains" - and then
you could add those to your allowed list for your domain as you got
reports of validation failures and user requests.  Over time a domain
would build a list of mail flows that its users used.   You could even
use a different selector for each sending user, and publish a different
policy for that selector, so each user got their own allowed mail flows!
But anything that's based on count/position of seals in the chain, that
has no value.
Bron.


--
  Bron Gondwana, CEO, FastMail Pty Ltd
  brong@fastmailteam.com

[dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos