IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily

Seth Blank <seth@sethblank.com> Wed, 15 August 2018 03:59 UTC

Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85B93130EDE for <dmarc@ietfa.amsl.com>; Tue, 14 Aug 2018 20:59:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59AwGLXoBQHD for <dmarc@ietfa.amsl.com>; Tue, 14 Aug 2018 20:59:17 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01A0C130ED9 for <dmarc@ietf.org>; Tue, 14 Aug 2018 20:59:16 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id k12-v6so37589500oiw.8 for <dmarc@ietf.org>; Tue, 14 Aug 2018 20:59:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=hFBBjBgObtrfRNRtTDx9Oq1allKC63qY1x3LK/mHCn0=; b=HjCUKp5rcbDIVxFTxAFf4iaP23q6GXweD39a1ypsQdTHx0kz7Vsg6A3OdSEOJWndfB IY158MDBxlG2nvcDnBC6AQ/HIgAerJPyUvz4cvYfW1IMonRiQgPAWjSW1UYkN+SpXeAy t/JhaO31bnAmYE61Fh6iwMoCRjrpH1VAl0dcB5av/Fag+rn4EayCFl9a7cbHvv6Z8yTP jtMsM5WmrlcglxeaUzoICzEvdMZZhAmFCnvwyFu3lzZfwkodxuGzeEjJrerjDt/AW4nJ oFoQqH41qrxS0msSBugxA/DcuPmxpjYo9rdtR5CbcVj0WeTOIsieE/Y2VueHgaWaB43f S08Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=hFBBjBgObtrfRNRtTDx9Oq1allKC63qY1x3LK/mHCn0=; b=UdYlvrpijFiuLHTMjBCW5YCwxg6OlmR6DyrzwP2/eswgQ70T3pTUOhHMm2EiDc+Ewj SsFSPPxQTNyEvF7TsnY1fXH6ILfn8WsIOaJFbj82rEbnJJr9EDOe8TDCbZuNBZVLzT1l 5IIdIYEZsef/vhyyv5ncG+Eavo64cTt5IGJsj8wWjDDZRcHK1QWmlLZvsOsbCNUe+2e9 Qth/WgvV5faH5qfReXYo51Lw9ivd6abgvJVeayFDS86GJqfZIxVgb7Sn4vfmRQGszyK/ gXZNJwYi9FH6WOTpI4iQVB079L7bPTQ3CThXE5+RkfYTSFrRFFOPCorZTNlK/eBNS3uI dY1g==
X-Gm-Message-State: AOUpUlGkK9Nmnp8d7dQZ5HzGADq5eXsvrclspvPYP6SVioEhcjUiKR/2 f+Lc/wB6Y3iQoJE5l5vp9xzd7F8P+WKxhHF1+6I55qcdkCk=
X-Google-Smtp-Source: AA+uWPyJLQdKlAYXmx4TnpihpzpVPqMl5fnz3EVBvz5NgsrLZG/BUqlH66UNOC0grtpf6pWGiRUsqgTFXCQ6tZeU7WY=
X-Received: by 2002:aca:3d83:: with SMTP id k125-v6mr23389221oia.86.1534305555946; Tue, 14 Aug 2018 20:59:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:2646:0:0:0:0:0 with HTTP; Tue, 14 Aug 2018 20:58:55 -0700 (PDT)
In-Reply-To: <a6eb3ab9-0e0f-f3e5-9dd0-8d9e992595a0@gmail.com>
References: <CAD2i3WNSe+of7U8fdTnmUeU3sthUbpEVgdYHT9J6BgLxoeOL3w@mail.gmail.com> <20180730221726.713CE200316625@ary.qy> <CAD2i3WMvCugRm4KZeLx3PFb6f_pKR3rs4mnH2FZO4_X7ZA7GHA@mail.gmail.com> <alpine.OSX.2.21.1807302025420.60501@ary.qy> <CABa8R6sWSu9Q+mozxzaVGab3PE2zxqVmt4L6FERSLC1oDTh1oA@mail.gmail.com> <alpine.OSX.2.21.1808031352460.29088@ary.qy> <CABa8R6u_09D9BNiq3fXDXjPVfFeZxHtRa0NyLamKyj033xO72A@mail.gmail.com> <CAD2i3WNJdQ95drzue17UdKEb_6qkN7DuB7WdMbORTSjWGgwJZA@mail.gmail.com> <CABa8R6sgtcAHGt10GQ85PvhYvEZfv1K1SqiFLe7ozWeZ5+Y30A@mail.gmail.com> <CABuGu1rmxMWhUQvzf=uyNVYSb1zGCgWtiak5+yPKaXGWPV4XUg@mail.gmail.com> <CAL0qLwbjpMH30hD8xKnAgT6kJ9wmN9hm3gwnRGmiqTOxKLiHDw@mail.gmail.com> <a6eb3ab9-0e0f-f3e5-9dd0-8d9e992595a0@gmail.com>
From: Seth Blank <seth@sethblank.com>
Date: Tue, 14 Aug 2018 20:58:55 -0700
Message-ID: <CAD2i3WNBdG2=uC+mx0uaA7z08V1f5t3qz9VZabL4mFO0ZQn2ng@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a3baf005737159b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/yi-tTPpYNGLBMYf6LjPEw79ubsE>
Subject: Re: [dmarc-ietf] WGLC ARC-16 concern on Section 5.1.2 - cv=fail should sign greedily
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2018 03:59:20 -0000

On Sat, Aug 11, 2018 at 2:31 PM, Dave Crocker <dcrocker@gmail.com> wrote:

> If there is a clear and compelling counter-argument of clear benefit that
> can be achieved, will be achieved, and is desired by receivers, what is it?


There are THREE consumers of ARC data (forgive me for the names, they're
less specific than I'd like):

1) The ARC Validator. When the Validator sees a cv=fail, processing stops,
the chain is dead, and shall never be less dead. What is Sealed is
irrelevant.

2) The Receiver. An initial design decision inherent in the protocol is
that excess trace information will be collected, as it's unclear what will
actually be useful to receivers. 11.3.3 calls this out in detail. Without
Sealing the entire chain when attaching a cv=fail verdict, none of the
trace information is authenticatable to a receiver (see earlier message in
this thread as to why), which is the exact opposite of the design decision
the entire protocol is built on. To guarantee this trace information can be
authenticated, the Seal that contains cv=fail must include the entire chain
in its scope. This is where this thread started.

3) The receiver of reports that provide ARC data. For a domain owner to get
a report with ARC information in it, there needs to be some level of trust
in the information reported back. When a Chain passes, all the
intermediaries' header field signatures can be authenticated, and the
mailflow can be cleanly reported back. When a Chain fails, that is
important information to a domain owner (where is my mailflow failing me,
how can I figure this out so I can fix it?). Again, without Sealing over
the entire Chain when a failure is detected, this information is
unauthenticatable (and worse, totally forgeable now without even needing a
valid Chain to replay), and nothing of substance can be reported back.
Sealing the Chain when a cv=fail is determined blocks forgery as a vector
to report bogus information, and allows authenticatable information to be
reported back.

So to recap: Yes, when you hit cv=fail the chain is dead and shall never be
less dead. But to preserve trace information as was the initial design
decision, and make sure report data is meaningful and cannot be forged,
when a cv=fail verdict is attached the Seal must cover the entire chain in
its scope.

And to be even clearer: what is Sealed when cv=fail is reached (itself, the
entire chain, or nothing at all) DOES NOT AFFECT INTEROPERABILITY. But it
does effect preserving trace information and preventing forged data from
being reportable.

This is my very strong INDIVIDUAL opinion. But I'm fine if the group sees
differently, as this could be investigated as part of the experiment (i.e.
do any of the above points matter in the real world? I say they do, hence
the strong opinion.). As an editor, I'll make sure whatever the consensus
of the group is is reflected in the document.

v2.23.0 | Report a Bug | By Email