IETF Logo Mail Archive

Re: [dmarc-ietf] Delegated authentication for Gmail

Jesse Thompson <zjt@fastmail.com> Sat, 22 April 2023 04:03 UTC

Return-Path: <zjt@fastmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ED65C1527A0 for <dmarc@ietfa.amsl.com>; Fri, 21 Apr 2023 21:03:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.com header.b="uzslFFZB"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="ZJrlaY/C"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11WQfixqjikT for <dmarc@ietfa.amsl.com>; Fri, 21 Apr 2023 21:03:08 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6027C14CE2E for <dmarc@ietf.org>; Fri, 21 Apr 2023 21:03:08 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id DA4273200AC5 for <dmarc@ietf.org>; Sat, 22 Apr 2023 00:03:07 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute1.internal (MEProxy); Sat, 22 Apr 2023 00:03:08 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1682136187; x=1682222587; bh=62 oPBknwV5zUOi1Avl6E7Mu9QujCAVdtk1pIgdwDSFM=; b=uzslFFZBX4asEJ2zne esvkiKV/NMWLFm2JWGNqhUa5X2w8qcAhoI6kjeD9fUGkUMwfgwjAMyZwGhuQNdo+ 3rG8W3g/6EOTK+dANJv/wW50vChBo/XY8kSrVtREE2Jf3zzfqhYgzXf8t51l3fxf tOwkiX3X8FulLbiECy6qwv58NLUJXUICV1FSYWPNPNjN1ea30M84mqlMGpa7BmMY jlzRKV3VUNf7Wg+uIM7Tmohw5Kb/2ohZ+DUPfHkX1DjMwYmE1MfdZl9nnCMZY2Cg 9MlI86Y/SgO0zkRzZRJtoUYV6MDlme3ryP450X5HPI9x3APfY03biUkuOX9RBg/Z qvuw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1682136187; x=1682222587; bh=62oPBknwV5zUO i1Avl6E7Mu9QujCAVdtk1pIgdwDSFM=; b=ZJrlaY/CrIXy4AjvVb0sD2riOq4cG dt4CzUFnO5opX05qiX8vn+nxfiSFYcln24yCO6IVqP4Hh+wOXDHF/swoHDTCRn4Z FvyrUvIMha4dNzyJBjvezmJ0oWN9jFW6ELnRLIpUAkRCWVjdZVbAya/bwkYSXarN D3Y9+rzBcpsKjFTnErrVGlUwoB1lMMugbVFadDWEBxkMbJdkNS9jXwtzwIORkcue MlnCnnw5fgWr0JESABSBUF3gCjvXEZP1F+tQBeGommQkfCrqhidDRSmkN0MHpOcd EwDgJaJ5Dva6O5t0HnLvP3ubVIQ7mJyT7lnnGJeZiE0QRQCeHvC0hj2mg==
X-ME-Sender: <xms:e1xDZKfUwTfgp6HUEyxnEDQxV6IcbTYpBV1QZEfreIkx0S7-ztG-tA> <xme:e1xDZEOxfwYGXoofS27C6rHwVJFkuf3JlQoHom32aAnbEJngby36Wtgrc2JJk_YZR L37NSOmFj4b2v_FC48>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfedthedgjeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerreejnecuhfhrohhmpedflfgvshhsvgcuvfhhohhmphhsohhnfdcuoeiijhhtsehf rghsthhmrghilhdrtghomheqnecuggftrfgrthhtvghrnheptdduvdfhledufeehledvtd efjeegfeekgeefheejteelleejueduteefgefggfefnecuffhomhgrihhnpehivghtfhdr ohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe iijhhtsehfrghsthhmrghilhdrtghomh
X-ME-Proxy: <xmx:e1xDZLgDxfgZwcJdZAI9DltPFJ6GMM-xnON3QJEjMtXErO6IKoYt2A> <xmx:e1xDZH9RvS8L8likJpHctW5eTwe3fVo7-mWxNrjR1Ej-Piq1Sh0waw> <xmx:e1xDZGuRK-rpvxkKtVQ8IelqQj4yPZIMua-nAM8ZRAEpRsJXnhKO1Q> <xmx:e1xDZE6Ng5SF6okPxqfPTNChrQX_Pqy_GpwjnGel7xioP_ic8EyfbA>
Feedback-ID: i1a614672:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 3D29ABC0078; Sat, 22 Apr 2023 00:03:07 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-372-g43825cb665-fm-20230411.003-g43825cb6
Mime-Version: 1.0
Message-Id: <e4b4fc68-c345-40d1-9d04-a18d571f4de4@app.fastmail.com>
In-Reply-To: <CAH48ZfwfvJaf_Z1=D1U5rj_7mAHD9gN7jZ1Pjw+7K+qsqbV+FQ@mail.gmail.com>
References: <CAH48ZfxFckUi0JTg=cB7Bc-=PqSqQ5Bmf6dLjnJ+PP_G8a5aog@mail.gmail.com> <CAH48ZfwfvJaf_Z1=D1U5rj_7mAHD9gN7jZ1Pjw+7K+qsqbV+FQ@mail.gmail.com>
Date: Fri, 21 Apr 2023 23:01:59 -0500
From: Jesse Thompson <zjt@fastmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="79a46e5f690f46edb11fd9447119d28c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/yYj9zfkvp-SLdXgnGYP8WybPHS4>
Subject: Re: [dmarc-ietf] Delegated authentication for Gmail
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Apr 2023 04:03:13 -0000

A DNS-based lookup, perhaps in the style of ATSP as this thread is describing, to query for not just domain-level authorization, but also potentially user-level authorization, I think is compelling because it can:

* Give domain owners a mechanism to achieve least-privilege authorization of 3rd parties; limiting blast radius

* Enable delegated authorization of all sending streams within mixed-use domains; not just telling the mixed-use domain owners they are "doing things wrong" and they can't use DMARC as a result

* Make it clear to intermediaries that they do not need to reject or rewrite, assuming they know if the receiver understands they are authorized (but then again, they may not need to care either way, if they are still living in a mindset where DMARC doesn't exist)


On Fri, Apr 21, 2023, at 6:15 AM, Douglas Foster wrote:
> Thinking on this some more, there are some tricky design risks:

I appreciate the thoughts you have put on this topic. It may not be feasible, but I think it's worth exploring user-level authorization.


> If the user-to-domain delegation scheme exposes an email address to the world, that information may be used for unwanted purposes, particularly increased spam volumes.   Hashing provides part of that solution.   The ATSP document solves this problem by using a mix of hash and cleartext domain name, but we should not expose a cleartext username.

Perhaps a query to a domain-level salt would help limit rainbow tables reversing the hashed usernames. If it's only worth creating rainbow tables for mega-domains, which already have a saturated namespace, I assume the spammers see less value in knowing if any address within the namespace is valid.

Reversible hashed usernames do present an opportunity for domain owners to publish false ATSP records for spam trap purposes. win-win?

The privacy risk is less of a concern if the address is no-reply@. But the privacy risk is real for normal users authorizing mailing lists.


> Hash algorithms are intended to create enough collisions so that reversing the hash is not practical, but the lookup process needs to ensure uniqueness so that a delegation record does not create unauthorized secondary delegations.

But domain-level delegation creates infinite user-level delegations today. I don't think this is worth obsessing about if people think domain-level delegation is secure enough.


> Similarly, the domain owner needs a way to clean up his DNS when an account is terminated.   This includes removing delegations for the terminated account without causing mistakes caused by hash collisions.   So some form of tiebreaker will be needed to ensure uniqueness.

I was thinking the larger issue is that DNS administrators would have a hard time keeping track of which user address is associated with each hash. Especially if their DNS software/provider doesn't offer an internal comment/tagging capability. They'll have to maintain an internal lookup table.

What are the chances that because userA is authorized to use a mail-provider, that userB (who is a hash collision, whatever the long odds) begins to start using the same mail-provider, and then the DNS admin cleans up the userA authorization and accidentally breaks userB? It seems unlikely.


> Mitigation ideas:

> A user-to-domain delegation always uses plus addressing.  This increases randomness of the hash process and adds complexity to hash-reversal attacks.   It also simplifies privacy recovery if the plus address is compromised.

This seems challenging for the mailing list use case. I don't think most users have an easy way to send from a plussed address.


> The delegation record lookup uses a hash key based on the authorizing user and the signing domain concatenated together, and a secondary key based on the signing domain alone.   I don't know whether it will be better to look up the signing domain using hash or cleartext.

I think rainbow tables could still be created based on common usernames and common signing domains. Why not require the domain owner to use and publish a salt instead? Or maybe both?


> To handle the hopefully rare case where a hash collision still occurs, the domain owner creates multiple delegation records and assigns them a record number which is used internally to associate a specific record with a specific user account.

They would still need a lookup table of some sort.


> Doug
> 
> On Thu, Apr 20, 2023 at 6:24 PM Douglas Foster <dougfoster.emailstandards@gmail.com> wrote:
>> Murray's ATSP proposal (https://www.ietf.org/rfc/rfc6541.txt) and Hector's DSAP proposal (https://datatracker.ietf.org/doc/html/draft-santos-dkim-dsap-00) have a similar goal:   Allow "Domain2" to send authenticated messages for "Domain1".
>> This is authorized when
>>  • the message is signed by "Domain2" and
>>  • a DNS entry in "Domain1" is configured to authorizes "Domain2" as a delegated signer.
>> (I will use RFC6541 as my primary reference because it seems to have avoided scaling problems.)
>> 
>> A mailbox account owner cannot benefit from these ideas because he needs the ability to define a user-authorizes-domain or user-authorizes-user relationship.   Consequently, we should extend the RFC 6541 design to support a subkey of the form:
>>     <hasheduser>._users.<hashed-domain>._atsp.<parent-domain>..
>> 
>> Query sequence:
>>  • The initial query is for an ATSP policy at <hashed-domain>._atsp.<parent-domain>.  If it returns a result that authorizes the signatures, the search stops.
>>  • If the query returns NXDOMAIN, no further search is needed because the _users subkey does not exist.
>>  • Otherwise, a second query is performed for an ATSP policy at <hasheduser>._Users.<hashed-domain>._atsp .<parent-domain>.  If a valid result is found, the signature is also authorized.  T
>> The DNS entries for user-level authentication would be created automatically by the mailbox provider upon request from the user.
>> 
>> This approach gives the mailbox provider the ability to control which delegated domains are allowed.   If a third-party signer is badly behaved, the mailbox domain could remove all of its delegated signing entries and prevent new ones.   A potential downside is that the mailbox provider could use this power to limit third-party signing to its favorite sister companies or favorite business partners, possibly in exchange for payment or other favorable actions.
>> 
>> This approach is also a path forward for the mailing list problem.   If a user's domain implements user-level ATSP delegation of signing rights, each subscriber documents his participation in the mailing list by requesting a user-level delegation for the list server's domain.
>> 
>> The mailing list can easily check the ATSP entries for its subscribers to see if delegated signing authority has been granted.    The greater difficulty is knowing whether recipient domains implement support for the concept.  But the design does not require mailing lists to make any changes to benefit from the design, which has been a big obstacle to other concepts.
>> 
>> What are the objections?
>> 
>> Doug Foster 
>> 
>> 
>> 
>> .
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email