IETF Logo Mail Archive

Re: [ietf-822] one can re-sign without a permission to re-sign header

Ned Freed <ned.freed@mrochek.com> Sat, 26 April 2014 18:07 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CFE01A026D for <ietf-822@ietfa.amsl.com>; Sat, 26 Apr 2014 11:07:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.274
X-Spam-Level:
X-Spam-Status: No, score=-2.274 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gjUtP2TCJerm for <ietf-822@ietfa.amsl.com>; Sat, 26 Apr 2014 11:07:24 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.159.242.17]) by ietfa.amsl.com (Postfix) with ESMTP id 7E7111A0647 for <ietf-822@ietf.org>; Sat, 26 Apr 2014 11:07:23 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01P73LU2XN8W000WRN@mauve.mrochek.com> for ietf-822@ietf.org; Sat, 26 Apr 2014 11:02:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mrochek.com; s=mauve; t=1398535334; bh=BMkMyioybYttXoB0aGbjiTDT/8Ox8Z/U0ay1X7dFPbA=; h=Cc:Date:From:Subject:In-reply-to:References:To; b=oqFEz/JWQlb6yyIrop5ZJa8s3mdyHX7Wm06zGguQYUs7M8A/yI+W8jTrA31owh4p8 DwOOR1X2p6Hn744rAzkZ9TGTYhsTm7q2dpFVFNStkq141UKmGP1YrAPZ5E31tCAD7z FUf22LX4nqvYrJ0ZtxsiNMf3O+iXR/C8ztoAbuoQ=
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET="iso-8859-1"
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01P714CWLY4W000052@mauve.mrochek.com>; Sat, 26 Apr 2014 11:02:11 -0700 (PDT)
Message-id: <01P73LU0RT9I000052@mauve.mrochek.com>
Date: Sat, 26 Apr 2014 10:56:36 -0700
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Sat, 26 Apr 2014 19:32:05 +0200" <535BED95.6090304@tana.it>
References: <535646AA.2080400@pscs.co.uk> <20140422202403.42908.qmail@joyce.lan> <01P6Y9IJSOEG000052@mauve.mrochek.com> <535B8B07.6090307@tana.it> <01P73EQM1PKQ000052@mauve.mrochek.com> <535BED95.6090304@tana.it>
To: Alessandro Vesely <vesely@tana.it>
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-822/-BSPNks36iZgD9q_vHEdxUE4iII
Cc: ietf-822@ietf.org, Ned Freed <ned.freed@mrochek.com>
Subject: Re: [ietf-822] one can re-sign without a permission to re-sign header
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Apr 2014 18:07:27 -0000

> On Sat 26/Apr/2014 16:24:24 +0200 Ned Freed wrote:
> >>>>> I know people think I'm wrong, but I think it needs to be looked at a
> >>>>> different way. As a recipient, I don't want 'proof' that this message
> >>>>> came from Alessandro, I want 'proof' that it came from the
> >>>>> ietf-822@ietf.org mailing list.
> >>>
> >>>> I think you're right.
> >>>
> >>> I concur as well.
> >
> >> Eh?  I agree a /receiver/ can do a better job by considering mailing
> >> list messages as an already filtered/moderated mail stream, rather
> >> than a collection of independent messages.  Talking domain-level
> >> authentication, even the local part is irrelevant.  As a /recipient/,
> >> however, the list where a message came from, ietf-822, ietf-smtp, or
> >> whatever, is a rather circumstantial attribute of a message.  I
> >> obviously care much more about who says what in which thread...
> >
> > You're conflating completely different things here. We're talking
> > about assessing the validity of a message, not about the value of
> > the content of different valid messages.

> Yes, only human recipients can distinguish between those.

> > And the fact is that essentially every mailing list I'm on - and
> > I'm on a lot of them run by a lot of different organizations - is
> > very good at blocking junk mail. As such, knowing that a message
> > came from one of the lists I'm on - even if I don't recognize the
> > person posting or the topic they're posting about - is more than
> > enough to tell me that the message isn't garbage.

> Fully agreed.  My point is that all too often receiving MTAs don't
> know what lists their users are on.  That has various nefarious
> consequences, but maybe the one we are now talking about is relevant
> enough to make a change.  All the proposed solutions require that the
> originator's relay knows if the recipient of a message is a mailing list.

Which is precisely the point of having a mechanism to whitelist the
ones you are on.

> >> SPF authentication covers most subscribers, but not those who have
> >> their mail forwarded to different sites (unless the forwarders use
> >> SRS).  DKIM signatures survive forwarding.
> >
> > Sometimes they do, sometimes they don't. Depends on a lot of factors.

> I've been using weak signatures (as on this message) for years now,
> and my limited experience, based on DMARC reports after posting to one
> of the few lists I'm on, seems to say they survive in many cases.
> (Well, some lists strip DKIM-Signatures off.)  I'd propose an even
> weaker signature: h=From:To:Date; l=0.  It should be unbreakable.

I doubt it.

> >> Neither method is useful for DMARC because the domain being
> >> authenticated is that of the mailing list, which is aligned with
> >> "To:" rather than "From:".
> >
> >> Is it possible to introduce "To:" as a _secondary identifier_ in the
> >> DMARC mechanism?  In that case a weak DKIM signature could be the
> >> element which authorizes receivers to use the secondary identifier.
> >
> > Maybe, but I doubt very much this would be useful. Indeed, the
> > reason we're in this mess is because DMARC attaches semantic
> > restrictions to the From: field. Attaching more semantics to more
> > header fields does not seem like a move in the right direction to
> > me.

> This trick cuts two ways.  On the one hand, receivers who implement
> the modified DMARC will recognize the strong (list) signature after
> verifying the weak (author's domain) one.  The list can also be
> authenticated by SPF in this case.  On the other hand, unmodified
> receivers will just accept the weak signature if they don't have
> restricting policies on signatures' strength.

> > I'd much rather pursue Pete's approach.

> I like it too, but I haven't fully grasped it.  On the 16th he wrote:

>   If the originator's site is going to allow that, you could create a
>   mechanism where the originator's site gets some sort of
>   cryptographic data from the mailing list site and include that in
>   its signed message, such that when the eventual recipient gets the
>   message, it can verify that it came from a mailing list site that
>   the originator explicitly sent the mail to.
> https://mailarchive.ietf.org/arch/msg/ietf/T823fjs5PWq2BjvOZ-FzZ5YMjSA

> I assume the final message has a valid author's domain signature,
> otherwise we need to modify DMARC.

Or override it.

> The only way I see is that the
> MLM, after message modification, sends the message or its hash back to
> the author's site to get it signed.  That sounds too complicated, so I
> must be missing something.

Perhaps it's time for a more concrete proposal to be written down.

				Ned

v2.23.0 | Report a Bug | By Email