Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries - Effort and Policy

[Douglas Otis <doug.mtview@gmail.com>]

On 5/19/15 8:25 PM, John Levine wrote:
>> The challenge here is that the second signer may not have anything to do with 
>> the message.  Since, except for From, only invisible parts of the message are 
>> signed, the signature could be applied to almost any email.  Using the 
>> reputation of the second signer's domain is not substantially different than 
>> using the reputation of an unauthenticated identity.  I don't see how that 
>> helps.
> The second signer has at least enough to do with the message that it
> has a real message in hand with permission to re-sign.
>
> Remember the problem that got us here in the first place: AOL and
> Yahoo had security failures that let crooks steal zillions of address
> books, who then used botnets to send spam to AOL and Yahoo users that
> appeared to be from other AOL and Yahoo users that they knew.  The
> actual source of the mail had nothing to do with AOL or Yahoo, or any
> system that had ever gotten mail from AOL or Yahoo.
>
> The double signing hack limits the opportunity for trouble to mail
> systems that have a recent real message in hand.  While I can
> certainly imagine spammy scenarios, it's hard to imagine ones that
> wouldn't be fairly easy to detect and shut down.  If nothing else, if
> the original sender gets spam reports about double signed mail (there
> are FBLs that key on DKIM signature) it can tell who's screwing
> around and stop putting conditional signatures on mail to them.
Dear John,

I receive similar levels of spoofed friends who once had
accounts with Yahoo and AOL.  The phishing now tends to
depend on the look and feel of the Display name rather than
having an exact domain.  In these cases DMARC offers little
to no value. 

Mediators could apply a policy suitable for blocking input
failing an initial hop from the DMARC domain.  Any
subsequent policy would then need to carve out exceptions
for mediator domains that their DMARC feedback should
clearly identify.  Once a two stage policy scheme is
facilitated that only the DMARC domain can monitor via their
feedback, then only the DMARC domain would be able to spoof
one of their own users.  If someone cheated, the exceptions
to permit these mediators could be immediately retracted.  
The daisy-chain alternative you proposed provides a DMARC
domain less ability to stop bad actors and causes far
greater change to email infrastructure for little benefit.

A similar regimentation scheme will be needed.  I still
think this should be published as Sha-1 hash labels, but
that optimization seems to make people think it is too
complex.  People need to think of it like a box of
chocolates, you never know what you are going to get. 
Whatever the answer, it is authoritatively delicious. :^)

Regards,
Douglas Otis