IETF Logo Mail Archive

Re: [dmarc-ietf] Updated mandatory tag/conditional signature draft

Hector Santos <hsantos@isdg.net> Thu, 09 April 2015 12:10 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10DDE1A19F4 for <dmarc@ietfa.amsl.com>; Thu, 9 Apr 2015 05:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.402
X-Spam-Level:
X-Spam-Status: No, score=-101.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_45=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXOAjSSp-ki2 for <dmarc@ietfa.amsl.com>; Thu, 9 Apr 2015 05:10:26 -0700 (PDT)
Received: from ntbbs.winserver.com (listserv.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id D30B91A19EC for <dmarc@ietf.org>; Thu, 9 Apr 2015 05:10:25 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=3442; t=1428581415; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:Subject:To: List-ID; bh=5dhAK3SsCsLeeOfQyiW+gcDn5Cs=; b=OgEsqX3BbRCeaxQHHOzj k9cwFtF4auPicgxmqb53CVnY9gqWWyf7W9EvWxJtbaed6krwAOmmrWx1Q3POKpsx OrPw7pzz34KHto2Q25npI805Z90zLrATi7NmAzrbmhmQEfhNnXlX3WEF0K6Z0gvB 4XyM9+n/e9zITHTyqTCruGg=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for dmarc@ietf.org; Thu, 09 Apr 2015 08:10:15 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com; dmarc=fail author.d=isdg.net signer.d=beta.winserver.com (unauthorized signer);
Received: from beta.winserver.com (hector.wildcatblog.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 2291435562.3150.4264; Thu, 09 Apr 2015 08:10:14 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=3442; t=1428581193; h=Received:Received: Message-ID:Date:From:Organization:Subject:To:List-ID; bh=X1kFwC3 SyXmvYPuxQAEO3ULLr04Rm6+8FlQX4rFtCFI=; b=rHJTgXzYLZlzKBU+y/bk/Eu wfVV6JA+n6uvogJtrSV5YWwU4WF6fwf/GF7izMAhFJrLMCIpv3ORWB895I8xnQOk 3bv/OBWl0dm98b6Tp9hu4FkqlmG0G+1MfZba+7sjr2L8cjHIgfDHK4gY0KisUYJM I3RKtd/78pirEUEK7O5Q=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for dmarc@ietf.org; Thu, 09 Apr 2015 08:06:33 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 883728941.9.5816; Thu, 09 Apr 2015 08:06:32 -0400
Message-ID: <55266C2B.4040708@isdg.net>
Date: Thu, 09 Apr 2015 08:10:19 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
CC: "dmarc@ietf.org" <dmarc@ietf.org>
References: <20150409020637.34444.qmail@ary.lan> <CAL0qLwZyZUO2ZJGcS3PMmMU5+qXSmKm2UeUveYujpNy9CVSJyw@mail.gmail.com>
In-Reply-To: <CAL0qLwZyZUO2ZJGcS3PMmMU5+qXSmKm2UeUveYujpNy9CVSJyw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Comment: Missing recipient address appended by wcSMTP router.
To: dmarc@ietf.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/zk7y_9nvWQ8DqcgzqbGvpBlCjh8>
Subject: Re: [dmarc-ietf] Updated mandatory tag/conditional signature draft
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Apr 2015 12:10:32 -0000

Fairly simple? I'm not sure about that.

1) The signer engine needs to do two signatures now.  This will be a 
major code change, more outbound signing overhead. There is still that 
so called scalability, "big data" problem.  How will the "YAHOOs" 
scale this?  A database is still needed of which domains will have an 
outbound mail stream with two signatures.  Some how the list domains 
will still need to register with the Yahoos and tell the Yahoos, 
"Please send us two signatures authorizing out list domain."    I 
would like to call this a "registration" problem because thats seems 
to be the area of disagreement as a real problem.

2) Two (actually all) receivers now have to comply; the MLM MDA 
receiver (middle ware) and the final User MDA receivers. All middle 
ware MUST NOT strip the weak 1st party signature.

All this is not fairly simple changes. The idea has the same end 
result for 3rd party authorization with more complex calculations at 
all points; signers, middle ware and receivers.   This is far more 
complex than a simple DNS lookup of the ADID/SDID at the receivers 
satisfying the same end result question -- "Does the ADID authorize 
the SDID as a signer?"

Are we trying to skip the DNS part from the solution of all this?   I 
would like to ask the chairs, if the Indirect Mail Interop report 
including further explorations into ATPS and TPA, then why is that not 
happening, and who will do it?   Obviously, Murray is showing his 
disinterest in completing the DKIM ATPS work.

The IETF should present all the solutions in this complicated project. 
Compared to what being proposed with this idea and Murray's other two 
ideas, the DNS lookup method is still a viable option, if only, to be 
included in the total solution pack:

     DKIM+DMARC+ATPS as a faster, optimized, least change approach, 
more proven in the
     market place with APIs already set to do the ADID lookup.

     DKIM+DMARC "In-band" method, such as Levine's @FS= idea for, I 
guess, for
     the customers out there that, for some reason, want a more 
complex DKIM
     engine in signing and verifying in order to do the same thing, 
perhaps
     because they have problems interacting with their DNS administration
     requirements?

Even if this dual signature @FS= approach goes forward, the software 
change requirements will allow for an optimized DNS authorization 
lookup method to be included.

-- 
HLS


On 4/9/2015 12:52 AM, Murray S. Kucherawy wrote:
> On Wed, Apr 8, 2015 at 7:06 PM, John Levine <johnl@taugh.com> wrote:
>
>> I updated my conditional signature draft, which is now (thanks to a
>> suggestion from Ned Freed) the mandatory tag draft.
>>
>> https://tools.ietf.org/html/draft-levine-dkim-conditional-01
>>
>> [...]
>>
>
> Well, I'm game to try.  Adjustments to the parsing engine should be fairly
> simple, and a couple of extra steps to notice and resolve the forward
> reference will be needed.  And maybe some extra return codes.  I'd use "!"
> instead of "@", I think, as an indication of their importance when observed
> visually, but that's rather a minor point.
>
> The first thing that hits me: Do we have to be specific about what's meant
> by "weak"?  How does the verifier decide if it's "weak enough" or perhaps
> "too weak"?
>
> -MSK
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email