IETF Logo Mail Archive

Re: [dmarc-ietf] third party authorization, not, was non-mailing list

Dotzero <dotzero@gmail.com> Tue, 25 August 2020 09:14 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8D13A090C for <dmarc@ietfa.amsl.com>; Tue, 25 Aug 2020 02:14:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9J2RsWjiuFG5 for <dmarc@ietfa.amsl.com>; Tue, 25 Aug 2020 02:14:39 -0700 (PDT)
Received: from mail-qk1-x72d.google.com (mail-qk1-x72d.google.com [IPv6:2607:f8b0:4864:20::72d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0D0D3A08E5 for <dmarc@ietf.org>; Tue, 25 Aug 2020 02:14:39 -0700 (PDT)
Received: by mail-qk1-x72d.google.com with SMTP id 144so10275453qkl.5 for <dmarc@ietf.org>; Tue, 25 Aug 2020 02:14:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jMf967JyC1sHeIPQNDzr0alAVx1Xg++8rmQShugdidk=; b=AmoMB+YT41+It/baNT4d/7Z4S64gDeelyw0UGSLjQhfpL2qANcvcQkU5Xe2Pj7Ew1/ aLovWVlaC7yh7xz3fFV/kAOSVftp7gDrlDWZQpkLab6skrpNbd+u8iD8gI3S18jxOFOo tYAJv4z82EjAwT6/bzIjwcsExmiOCNp6kG7zBbZ/wCpV76HYHMVI4t4MR7G9y2MYa0rU d0fL6C9jHOjsvlrcfiGUnVwUsZ6m088wJ0GGf9YtexVm8RUa+uxE+HJoTdPWN038/2BM olpigbsbA9UBAO/Ev+NfPK7/H0fa0jtO1WqXzMEa3yKeHYBg8SPhE1uHKx/+1C34cJBY Sn/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jMf967JyC1sHeIPQNDzr0alAVx1Xg++8rmQShugdidk=; b=o9zV8yeiIpx/EXZYhVIZF9H9C+nhPLhW3TkZ6W09WoGwvsQ0UVVvEADc7IGy50FKe6 qkceLNee06xHC23GEGyWj+53kufo6/FJf4h1SUemJcmvswdjN6k3tMfu1HDa32uDBRhr I72XN/pPgOBprMQNxDXn9ekGDt17ue+rPNowQLZSDA3Qcx/FLEN3D/DMj6B8W6Na0Ds4 Rs33lSHl0SBb/TqWFwOkbkssdWBelrq9G757nBO9K0W7VUrFPr0VqXVl2/rvHEvTQAeH 6DNro9VIwWkE8G3T8RfongRPSlBppFH6U1VNn84+GEDT5ZI1FYPaotbVlWCfcNjS11E4 QrbA==
X-Gm-Message-State: AOAM530Rm0z/9WxTM9yzbfpPt/6WUDNcvdI3m61ZF09Fw/blQ8kiFpk+ MHq0/kfOH87fDyWYlpEkEi9Fi3C95oWN0FT2mMtLribiaHk=
X-Google-Smtp-Source: ABdhPJzI8ZoUheXSMVT+H88HhScMEQY7RhITkN39jXPEGZu6UJ68BL+OyQopeeLWCIsWoXMOnPblcL7sko8YpHdtJ7E=
X-Received: by 2002:a37:a9cb:: with SMTP id s194mr8489162qke.64.1598346878811; Tue, 25 Aug 2020 02:14:38 -0700 (PDT)
MIME-Version: 1.0
References: <20200824172403.A927C1F14BF5@ary.qy> <5fe7d5c2-7330-c9fb-2856-e7dfc2175c82@tana.it>
In-Reply-To: <5fe7d5c2-7330-c9fb-2856-e7dfc2175c82@tana.it>
From: Dotzero <dotzero@gmail.com>
Date: Tue, 25 Aug 2020 05:14:27 -0400
Message-ID: <CAJ4XoYc1vutV61E-66DHWcdOxHmCUWiC0HC0AmiRYUcMxLgcCQ@mail.gmail.com>
To: Alessandro Vesely <vesely@tana.it>
Cc: John Levine <johnl@taugh.com>, IETF DMARC WG <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000f081ca05adb0214f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/wiQKqApjk7rzi_7m3yzkkQtlshs>
Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2020 09:14:41 -0000

On Tue, Aug 25, 2020 at 5:03 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Mon 24/Aug/2020 19:24:03 +0200 John Levine wrote:
> > In article <CAL0qLwaip0fzXpqnK=XTcEELZRat_gnjuEGZYj=
> 8qgy3wkYfXw@mail.gmail.com> you write:
> >>> If the intermediary DKIM signs the modified message with their own
> >>> signature, that provides some assurance to the receiver.
> >>
> >> You mean like
> https://tools.ietf.org/html/draft-levine-dkim-conditional-00?
> >>
> >> I'm pretty sure that got implemented too, but I can't recall now if it
> ever shipped.
> >
> > I don't think it ever did.  It has the scaling problem of every system
> that sends to mailing lists
> > having to decide what mail it's willing to have re-signed and what
> domain the second signature
> > will use.  Usually it's the domain name of the list except when it's not.
>
>
> Right.  The only practical implementation I see is that the sender has
> a list of recipient addresses that require weak signatures.  When it
> is about to send a message destined to a listed address, it can fork
> the message so that the weakly signed copy is sent to the (trusted)
> list address only.  Any direct copy is signed in full.
>
> To configure that, a postmaster would need an application by the list.
>   Something saying "your users A, B, and C are subscribed to list X,
> please sign weakly".  The postmaster would then verify if A, B, and C
> are trusted users and if they confirm to be subscribed to X.  In that
> case, the address of X gets enlisted.  Would that scale?
>
>
> Best
> Ale
> --
>

Under my concept, all mail would still be signed in full. The weak
signature would be in addition to the full signature and the intermediary
would be expected to sign in full as well. If the original full signature
is broken you are left with the original "weak signature" which authorizes
the intermediary and the full signature of the intermediary.

I would expect there to be multiple potential approaches to identifying
acceptable intermediaries. One might be user self enrollment. For larger
organizations it might be intermediary application/approval. A 3rd approach
might be a trusted 3rd party providing lists of known intermediaries. This
would be separate from the core signing RFC, whether it is part of DMARC or
a separate document.

Michael Hammer.

v2.23.0 | Report a Bug | By Email