Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
"Murray S. Kucherawy" <superuser@gmail.com> Fri, 18 August 2017 18:10 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69F5D126B71 for <dmarc@ietfa.amsl.com>; Fri, 18 Aug 2017 11:10:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkK5XiXVkvgD for <dmarc@ietfa.amsl.com>; Fri, 18 Aug 2017 11:10:21 -0700 (PDT)
Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CA50120727 for <dmarc@ietf.org>; Fri, 18 Aug 2017 11:10:21 -0700 (PDT)
Received: by mail-qt0-x22b.google.com with SMTP id a18so57944632qta.0 for <dmarc@ietf.org>; Fri, 18 Aug 2017 11:10:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fzxnHC8KMLr3FzaO/Cw+6zlqzf/029C1e2smaUattQ4=; b=BxwNjBW/qMv8i8pcy9J8oS5A5o/mDMeem60I0mrY1Ey+NHmvQKGTBw4nputKZwB+NJ lW/Eq1dTeEzizi2uzf35SyxVDp5ApRXhdt1HcKzGXGdsa4YYq3VL/EaMze35R3tf7Kgn gyzfqmFU2mC2710+jvoDZqMtFM9OhRIVShMfz6wIiGl5qUDSxc7F/qzb9t8Z9vmsCTyb 8DUCmCM7ZUg7CE7zhsAQTSeNBVy9Aruyfw1hrD6eA8TiiSEe7TjFEDGbKFKfMWoe+p/B b6WsiwIz8JYOPKeJ4Ico1XfNJs4dpGYEjDsKRk1KBy3j6HBoKQZIKZ04jU0vv6J9aPxk ABog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fzxnHC8KMLr3FzaO/Cw+6zlqzf/029C1e2smaUattQ4=; b=oyIHM4OMEIDVNzJHkFNPqrG1QkN4CGUiotsG5jCU+4Q5xDynYAdy22DnHdXFcuGZVb hNfvGvazqd9nH8VVrZzYLnSffyCoJcXmKUmPxxo3ZUueV6sNjB5ZE28C8AeCkRD9cDQl m/DcLtJ5Nm8KyXQ/yIdcZplAHRj0n31+I1rw4SNIFrJYEEp3NUamDPJWTjsSCY1zKuN5 ElBenNz1i8XaQourr9EL86F3p5yOMJPdjwNVDPU0FsZJhne9rEhU9IIvKmm81wUXJPPU 0JJxJWYTO02D7DyTErp7IXPiaplB6IrQjbNpWQYip3/DvRmrm6F+cJzRAxO1CB2XmUIT LI7w==
X-Gm-Message-State: AHYfb5jdHYWnz55Ghz8BdlCMDF/k39YoicLFUbTiwRFM/bm65BHTwr4x 6T8s70kA/55C8lZ6/CsZpblx6EHV0w==
X-Received: by 10.200.51.244 with SMTP id d49mr13306700qtb.32.1503079820382; Fri, 18 Aug 2017 11:10:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.57.34 with HTTP; Fri, 18 Aug 2017 11:10:19 -0700 (PDT)
In-Reply-To: <f62ca9fc-e73c-82e7-173c-5cdc3c761dd6@gmail.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <166070f0-4ba1-70da-1f73-885b4a7f7640@gmail.com> <1502497178.4103451.1070917304.23DD466D@webmail.messagingengine.com> <598F9484.7020700@isdg.net> <CABuGu1p=oLfLRkuoaDHoz3Cv3_FrURdsFPzkac7jNzBpqBmiSg@mail.gmail.com> <599484FB.9050908@isdg.net> <1502929303.4038704.1075868960.5D80A788@webmail.messagingengine.com> <CAD2i3WN_bmDgmQBw3pnyu7vWJJM2Kzwgru87VhK=NA_H91B+og@mail.gmail.com> <1502930858.4042926.1075890568.5069945B@webmail.messagingengine.com> <CABuGu1ofdkP6Gdsfin6KfpiTJW39gXz8Fa0iAAmXfcvyWGZxdA@mail.gmail.com> <CAD2i3WPuiMw6Gbdw0E+Gh=yNDfNjECMrqLHKPUspq_h6dnpbnA@mail.gmail.com> <f62ca9fc-e73c-82e7-173c-5cdc3c761dd6@gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Fri, 18 Aug 2017 11:10:19 -0700
Message-ID: <CAL0qLwZRfEEZ=Vz4tWAYEn97H9uvMzSyYe2+-Ak762qpvDmm3g@mail.gmail.com>
To: Dave Crocker <dcrocker@gmail.com>
Cc: Seth Blank <seth@sethblank.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c160e6c3594005570b0a7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/vuvfvua-PiYR0BpIRDYwAofh8Y4>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Aug 2017 18:10:23 -0000
On Fri, Aug 18, 2017 at 10:08 AM, Dave Crocker <dcrocker@gmail.com> wrote: > On 8/18/2017 10:00 AM, Seth Blank wrote: > >> >> Right now, we've got deployed code that we know works and improves the >> landscape. Everything else is - rightly or wrongly - conjecture. >> > > > Personal Point of order: > > Using an 'installed base' argument for a brand new specification that > is still in development and has minuscule deployment is not appropriate, in > spite of having a long and storied history of being used to resist a > proposal. > > What's supposed to happen with a proposal is an evaluation of its > technical and functional merits. > > > The entire point behind bringing a nascent specification to the IETF is to > get review and suggestions from a wider audience. While I would normally agree firmly with that position, my view in this case is softer given what I believe was consensus (I'm not the chair, so that's not my call officially) that we're going to go for Experimental status. I submit that our primary mission here per our charter is to come up with a mechanism that mitigates DMARC's damage to mailing lists. The claim that ARC as designed over-engineers a solution seems secondary to me; the question we need to answer is "Can this mitigate the damage?" With or without Bron's reduced design, that's the question before us. The "snake oil" claim may be true but it's orthogonal to that core question, and moreover points to the way we describe what exactly ARC provides ("chain of custody" is clearly not appropriate given that we are no longer sure what that actually covers), independent of whether it tells us enough to solve the question at hand. Accordingly, I would suggest we continue to deploy and experiment with the specification as-is, because there are implementations now, until we've determined that ARC as currently defined does or does not address DMARC's mailing list issues. I also suggest that an appendix be added acknowledging that the super-crypto of ARC-Seal may be superfluous, and at the conclusion of the experiment we can make a decision about removing it and moving more toward what Bron's suggesting. Of course, the danger of proceeding along that line is that we do establish a deployed base, however small, that will be difficult to change later. I don't know the answer to that question immediately, and admittedly I'm only going to be on the periphery of cleaning up whatever mess results. -MSK
- [dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos