Re: [dmarc-ietf] non-mailing list use case for differing header domains

[Alessandro Vesely <vesely@tana.it>]

On Wed 29/Jul/2020 19:34:48 +0200 Hector Santos wrote:
> On 7/28/2020 1:19 PM, Doug Foster wrote:
>> Hector, I do not understand this comment:
>>
>> "The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party 
>> domains. DMARC did not address the problem and reason ADSP was abandoned. 
>> Hence the on-going dilemma."
>>
> 
> [...]
> 
> We have DKIM Policy extension proposals like ATPS (RFC6541) that offers a 
> deterministic method to associate the author domain with 3rd party signer 
> domains.   This authorization is defined by the Originating, Author Domain.
> 
> Look at my DMARC record for my isdg.net domain:
> 
> v=DMARC1; p=reject; atps=y; rua=mailto:dmarc-rua@isdg.net; 
> ruf=mailto:dmarc-ruf@isdg.net;
> 
> The atps=y tells an ATPS compliant receiver that if it sees a 3rd party domain 
> signature:
> 
>    Author Domain IS NOT EQUAL TO Signer Domain
> 
> Then it can do a ATPS look:
> 
>     base32(sha1(SIGNER-DOMAIN))._atps.isdg.net
> 
> So if I wanted to authorized bayviewphysicians.com to be able to sign for me, I 
> would go to the wizard https://secure.winserver.com/public/wcdmarc,  enter your 
> domain in the list of authorized signers, click Zone Record and I get a record 
> I can add to my isdg.net zone:
> 
> e25dhs2vmyjf2tc2df4efpeu7js7hbik._atps  TXT ("v=atps01; d=bayviewphysicians.com;")
> 
> So anyone out there can see that I authorized bayviewphysicians.com to sign for 
> isdg.net


Isn't that overly complicated?  Why SHA1?  An alternative method to authorize 
3rd parties is RHSWLs, see my previous post[*].  By comparison with the above 
quote, assume we have:

     From: someone@example.com
     Sender: auto@example.net

The DMARC record at example.com:

     v=DMARC1; p=reject; snd=lst.rhswl.example; rua=mailto:rua@example.com;

The snd=lst.rhswl.example tells a compliant receiver that if it sees a 3rd 
party authentication (either SPF or DKIM) of the Sender domain:, where:

     From: domain IS NOT EQUAL TO Sender: domain

Then it can do a right-hand side whitelist lookup:

     example.net.lst.rhswl.example

If the record exists, then example.net is authorized to send on behalf of 
example.com.


Features:

* Absence of cryptographic stuff (sha1) makes it simpler.

* A multi-domain bank (Autumn's example) can easily build its own RHSWL 
containing all and only their domains, e.g.:

   firstbrand.com.lst.mainbrand.com  IN A 127.0.0.2
   secondbrand.com.lst.mainbrand.com IN A 127.0.0.2

* Large free-email domains can build their own RHSWL so as to avoid the MLM 
problem.

* Lazy mail domains can easily point to a public RHSWL which lists almost all 
the legitimate Internet.

* Strictly transactional domains can still keep snd=none (the default).

* Experimenting domains can have p=none; snd=lst.in-progress.example; while 
they monitor aggregate reports to see how their list is doing.


Best
Ale
-- 

[*] https://mailarchive.ietf.org/arch/msg/dmarc/jQlUhE-ijiWeb1CybKy6367eVn8