Re: [ietf-822] [dmarc-ietf] Request for feedback: draft-ser-authentication-results-openpgp
Simon Ser <contact@emersion.fr> Thu, 22 October 2020 12:12 UTC
Return-Path: <contact@emersion.fr>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 062473A0AC5; Thu, 22 Oct 2020 05:12:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=emersion.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y6Rj--pCsucG; Thu, 22 Oct 2020 05:12:42 -0700 (PDT)
Received: from mail2.protonmail.ch (mail2.protonmail.ch [185.70.40.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A33E03A0AC3; Thu, 22 Oct 2020 05:12:42 -0700 (PDT)
Date: Thu, 22 Oct 2020 12:12:35 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=emersion.fr; s=protonmail2; t=1603368759; bh=ruZZpKXq+5hnVN3tAHbzMo1ePlk1uVSSGprUJG81g18=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=hMmY9KIjJaGwh13zz7pInjxzgOF+mmRg5QWsFeN+wSLIIsuaNchYzVhTXguGhNDlw S0/QtbEtBh60RFcbo4BCn0TCIPVeoW25XdY9XG1q4tss0HmQkt6NZkJDctwHe7GL3Q KUn5Jurkb0s9idNxsSIzb9s9r5OAC+bRFLg+GWJc1kUvf1o4ob7XXv7YKnCccBzd+K qaqKa9+k5sFu2cacT48qJ8JVTFavOC09pgVmlULqitWAaZbImyv5Abw4gnE9GGxihp t9qIHigjOtshf86oarzs21tWvMmS+Gh5Cwvqomen3abNdKE8krCnJuhSubkKYIlaTw g3hpxr7nt2DHw==
To: "ietf-822@ietf.org" <ietf-822@ietf.org>
From: Simon Ser <contact@emersion.fr>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Reply-To: Simon Ser <contact@emersion.fr>
Message-ID: <1D0mNvhgL7vfSzrdCLrTIFkAk7ulKhb6vw3yQiKdVjP2dxJqF4OZiEzUSsPLhXjiLE3n5NyO9mCP-uVdfyR6FyVQvEsUeoAmGcM4Qj46uR4=@emersion.fr>
In-Reply-To: <20201020012421.4A46623B1365@ary.qy>
References: <20201020012421.4A46623B1365@ary.qy>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-822/6C5pgbTaxSCxHm0tzF-D-mf4Zok>
Subject: Re: [ietf-822] [dmarc-ietf] Request for feedback: draft-ser-authentication-results-openpgp
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2020 12:12:45 -0000
Thanks for your reply. On Tuesday, October 20, 2020 3:24 AM, John Levine <johnl@taugh.com> wrote: > [ Replies sent to ietf-822 since this is unrelated to DMARC ] (Sorry, I wasn't sure where to send this e-mail to.) > In article ZxWD3Yo-oiRI8Rq8k9H-7vG3Rgogp5lhNRwW3JcDUpFjHlfxgubW8rC5g4jQKWnhFazItAexGXsB4xMb69mZg2jRtuXEC7l1GxfmqdBbCOU=@emersion.fr you write: > > > I've submitted a draft for a new Authentication-Results method a while > > back 1. I'd like to get some feedback. > > My use-case is: on a mailing list system 2, I'd like to display PGP > > signature status, if a PGP signature is present. ... > > > > > > Does this sounds like something worth doing? > > Maybe, but probably not. > > DKIM is intended as a signature for messages in transit, applied as a > message leaves its sending system and verified as it arrives at the > recipient system. The sorts of changs made by list managers often > break DKIM signatures, causing all sorts of excitement when DMARC > is involved. > > PGP signatures (and S/MIME signatures) are normally applied and > verified by the end-user mail programs. They're in the message body > and the changes that list managers typically make, tagging the > signature or adding body headers or footers, are unlikely to break a > PGP signature. I can think of ways a ML can change a PGP-signed message to make it invalid. Adding a footer to all inline text parts for instance. > Or to put it another way, if your A-R header said the PGP signature on > the message contents was good, but the end user found it was bad, that > would suggest something was screwed up, not normal mailing list > processing. I don't think I understand your point here. I don't expect the A-R header of the mailing list server which relayed the message to be preserved. In fact, many mail filters adding A-R will just remove all existing A-R header fields. In an email client, I may want to display the DKIM A-R result in the UI. A bad DKIM signature might indicate an untrustworthy message. Similarly, I may want to display the PGP signature verification result. > PS: It's not unreasonble for a list manager to use a PGP signature to > verify that it should forward a message, but there's not much use to > adding a header saying it did so. (My goal isn't to necessarily block messages with a bad PGP signature, but rather display the PGP verification result in the mailing list archives UI.) Well, what's the use-case for A-R then? Couldn't the receiving server check DKIM/DMARC without adding an A-R field and drop/quarantine messages which fail this test? My understanding was that A-R allows to have standardized email filters that check DKIM/DMARC, put the result in a header field, and then system administrators can consume this field and decide what to do. I think this could apply to PGP as well. I don't want to perform PGP key lookup and verification in the Web server displaying the ML archives. I'd rather do this upon receiving the message, in a completely isolated daemon (just like DKIM, e.g. with OpenDKIM). Thanks, Simon