IETF Logo Mail Archive

Re: [ietf-822] WSJ/gmail/ML, was a permission to...

Douglas Otis <doug.mtview@gmail.com> Sun, 08 June 2014 01:07 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA901A024A for <ietf-822@ietfa.amsl.com>; Sat, 7 Jun 2014 18:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tfpdkgqud-tw for <ietf-822@ietfa.amsl.com>; Sat, 7 Jun 2014 18:06:58 -0700 (PDT)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 519A01A020B for <ietf-822@ietf.org>; Sat, 7 Jun 2014 18:06:57 -0700 (PDT)
Received: by mail-wg0-f46.google.com with SMTP id y10so399669wgg.17 for <ietf-822@ietf.org>; Sat, 07 Jun 2014 18:06:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YCjd6hU2hZUBOXY+ZJbzZGs6GV+MaKADSLd+G1HBXQA=; b=LEhihSpTa1Yt8arRRoe51kvswEFNDItXylHZA7d+cDsdV9Jn/ncao1OMuGiYWLKL2u uUaPHhoKX/pfYxPNVebGFevMdcJAJGs+Gn2SlVOhhrgJwz18UHBqxaGyHNdY5MbKqIyX N8jqD5rdYFvmOaeyxVbDx2UsvMOODAdliMvQnaFnMqkXbj2RBB6/hUruCXh/3YO4crmi HfYgp9285/W34+8NPxeeK4Quf3irGW9MO9LBYODiYbkWAU70hqLvVlxQZr5IFqhqPoB1 H3TS+sCc3zetUspKS87nPQzlEcgu8Jv734JpdztaJGvDjgmUCtmVXP16pdYlQPP2EzeV Tw9g==
X-Received: by 10.180.93.234 with SMTP id cx10mr17135902wib.18.1402189609586; Sat, 07 Jun 2014 18:06:49 -0700 (PDT)
Received: from [10.128.84.219] (87-198-224-122.static.ptr.magnet.ie. [87.198.224.122]) by mx.google.com with ESMTPSA id gp6sm5937703wib.12.2014.06.07.18.06.28 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 07 Jun 2014 18:06:48 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <6943.1399249180@sandelman.ca>
Date: Sun, 08 Jun 2014 02:05:58 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <5BA79C70-9095-40BF-90CD-42D3883F7374@gmail.com>
References: <20140504193742.2489.qmail@joyce.lan> <6943.1399249180@sandelman.ca>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.1878.2)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-822/LFiuaO5vaV69iDtxaBKXb9c2JFQ
Cc: ietf-822@ietf.org, John Levine <johnl@taugh.com>
Subject: Re: [ietf-822] WSJ/gmail/ML, was a permission to...
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jun 2014 01:07:01 -0000

On May 5, 2014, at 1:19 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

> John Levine <johnl@taugh.com> wrote:
> [...]
>> Remember that there are other things that DMARC broke, that do not
>> involve forwarding.  That's what "WSJ/gmail" in the subject line are
>> about.
> 
> Yes, I understand.  I'm not sure that web sites sending on my behalf
> is ultimately distinguishable from spam without some cryptographic route
> through the browser/webserver into my MUA.
> 
> I can imagine such a channel, but I don't think we want to talk about that.
> I think that we should list the various problems that we have discovered and
> it may be that some we can fix, and some we can not.
> 
> Ultimately, in the space of end-to-end SMTP, lists are a form of
> intermediary.  DMARC is a form of BCP38...

Dear Michael,

Cryptography will help secure many things, perhaps none better than SMTP-DANE.  But can a sending domain make request without providing information necessary to avoid exposure of private exchanges by way of insecure DMARC feedback. Talk about a major security hole. 

Email is currently being accepted based on fairly weak validation schemes.  DKIM does not even indicate who sent the message nor is it expected to indicate to whom it was intended.  It seems that when there are strong methods to validate email sources, there should be a way for a DMARC strategy to make authoritative exceptions. DKIM Delegate seems to assume sending domains know which destinations can be trusted to the point of offering a weak signature.  Although it does not leverage DNS it also can not address important use cases and further weakens already weak protections that even failed to exclude invalid header field from producing PASS.  Since DMARC is expecting others to act on their behalf, it should also directly convey which non-aligned domains have been used by their domain's users.

This communication can be an authorization of validated sources.  The granularity of the authorization can be by domain.  Any further resolution of the source will depend on trusting message handling.  Authorization might include a requirement  an Original Authentication Results header be included, for example.

Regards,
Douglas Oits

v2.23.0 | Report a Bug | By Email