[dmarc-ietf] ATPS, TPA-Label, etc.
"Murray S. Kucherawy" <superuser@gmail.com> Sun, 20 July 2014 19:55 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74FCF1A0AF0 for <dmarc@ietfa.amsl.com>; Sun, 20 Jul 2014 12:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h2eCQEmH1CMV for <dmarc@ietfa.amsl.com>; Sun, 20 Jul 2014 12:55:41 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2F511A0B13 for <dmarc@ietf.org>; Sun, 20 Jul 2014 12:55:39 -0700 (PDT)
Received: by mail-wg0-f51.google.com with SMTP id b13so5614406wgh.22 for <dmarc@ietf.org>; Sun, 20 Jul 2014 12:55:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=5+Gvp0GpLYzR59EyAEVsw5Wo2SQytpnuP6jBYOkI1LY=; b=GwWYTPWXlKEl3hRM6GJ1r2VMBd2GJ8/EvRpqNSwIdtVI8jS0BdQhNqQxYGH8fvt0Xu e4AM09TDszryy+bdq8Ntsrt0QiJS/ZX71fC3CBpxogZ1VucI4B4Ejcs2TWQbHNc+OkyF EtvSVw8mJ8xVMLxLZJrYJP07hvy3hEOvKIsJ6iAk3mxEqtb0W07Qt26txQkg6PTlaCc4 bCthU9XmHMccvCetSUJJD7Y/BFG+BUkuFyBNtILKQC2A4YwuNu92eYsFt5nItYac/TKm uHIWRqN/M5b3dJ3MaAzxI2CNl0Ld/ObOsLnUsYyqAJFaEdk8X2V+zOZlKrb+XmiEK4s5 auDA==
MIME-Version: 1.0
X-Received: by 10.194.186.178 with SMTP id fl18mr15760386wjc.83.1405886138299; Sun, 20 Jul 2014 12:55:38 -0700 (PDT)
Received: by 10.180.10.99 with HTTP; Sun, 20 Jul 2014 12:55:38 -0700 (PDT)
Date: Sun, 20 Jul 2014 15:55:38 -0400
Message-ID: <CAL0qLwaii6BhUXuWm2ujORGjrLuQ6ANPiQ1M7wv3OZH4xkV-1w@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: Douglas Otis <doug.mtview@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bb04dd2de398e04fea55f6e"
Archived-At: http://mailarchive.ietf.org/arch/msg/dmarc/y-ju4leN1PXrp3YmSPLnB6Dy3Ao
Cc: dmarc WG <dmarc@ietf.org>, Hector Santos <hsantos@isdg.net>
Subject: [dmarc-ietf] ATPS, TPA-Label, etc.
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2014 19:55:43 -0000
[Changing Subject: to a new thread and dropping ietf@ietf.org, since this is not charter discussion] On Sun, Jul 20, 2014 at 12:27 AM, Douglas Otis <doug.mtview@gmail.com> wrote: > ATPS is not the "lite version" of TPA-Label. This is explained in > http://tools.ietf.org/id/draft-otis-tpa-label-04.html#rfc.appendix.C > I disagree. I think that's exactly what it has turned out to be. ATPS requires DKIM signatures used by Third-Party Services to somehow > determine different label encoding methods permitted by ATPS. ATPS also > lacks any discovery or exchange method for this. In contrast, TPA-Label > makes NO demands on third-Party services. None. Since there is only one > encoding method, there is NO guesswork discovering the listing encoding > method. > There's no magic involved here ("somehow"? really?). The third-party selects a hash algorithm, or opts not to use one, and indicates this choice in the generated signature. The possible choices are enumerated in the specification. The verifier thus knows which hash (if any) was used. There is no discovery or exchange needed, since any DKIM implementation already includes support for all of the ones that ATPS specifies. Claiming there's some kind of burden ATPS has that TPA-Label does not have is simply false. If this truly is a burden (which I seriously doubt), selecting one hash or the "none" option and removing the other choices from ATPS is certainly possible, but first I think I'd like to see some evidence that this is a pain point either for implementers or operators, or that it creates an interoperability problem. The extra processing is only done when DMARC indicates non-complaince where > the DMARC domain can then indicate whether they have informally federated > the domain in question and what if any additional information must be > included in the message. In comparison, processing a new DKIM-ike > signature involves greater overhead than that needed to obtain a TPA-Label > resource which happens only after the domain in question has been > validated. It seems TPA-Label represents far easier deployment and far > less overhead since the Third-Party makes no change to their process and > only a single, small, cacheable TPA-Label resource is provided by the DMARC > domain. > Both methods start from a place of non-compliance of the basic case, namely non-authentication by the author domain. ATPS requires that the third-party have signed with DKIM (and thus as we say, "taken some responsibility for") the message under evaluation; TPA-Label does not have this constraint by default, which means TPA-Label is cheaper to deploy. However, I'm at a loss to understand why "X is an approved third-party for Y" is meaningful when neither of those identifiers are authenticated. If Y is a high-value target, then an attacker can merely claim to be X; without authentication, TPA-Label still approves this. "Just make X authenticate with DKIM," you say? Guess what, you're back to ATPS. All of the other options TPA-Label has about must have this header field or that one, or the value of this field must align with that one, are trivially satisfied by an attacker because the acceptance policy is made public, and I don't think they add any protection that isn't thus trivially defeated. They may help for a migration, for example, but not as an effective security mechanism against a bad actor. In terms of what's useful to DMARC, the ability to announce a third-party delegation approved by the author domain and authenticated by SPF is the only thing ATPS can't already do. And I'm not convinced that either of these methods is better than the ephemeral delegation idea. Anyway, all of that is for the working group to decide. Finally, Appendix C of the TPA-Label draft makes what I believe is a bogus claim about causes for the lack of ATPS adoption. The reason is far more general: Even though we made ATPS available for free, including deployment tools, there has never been any obvious evidence that a third-party mechanism is sufficiently secure, scalable, and above all, necessary. It is the main reason why TPA-Label, which is older than ATPS, has also seen no adoption to speak of. -MSK
- [dmarc-ietf] ATPS, TPA-Label, etc. Murray S. Kucherawy
- Re: [dmarc-ietf] ATPS, TPA-Label, etc. Douglas Otis