IETF Logo Mail Archive

Re: [ietf-822] A permission to re-sign header

"John R Levine" <johnl@taugh.com> Fri, 18 April 2014 15:44 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB1AA1A041D for <ietf-822@ietfa.amsl.com>; Fri, 18 Apr 2014 08:44:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.357
X-Spam-Level:
X-Spam-Status: No, score=-0.357 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uikhr82zo8HU for <ietf-822@ietfa.amsl.com>; Fri, 18 Apr 2014 08:44:07 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) by ietfa.amsl.com (Postfix) with ESMTP id A54311A03CC for <ietf-822@ietf.org>; Fri, 18 Apr 2014 08:44:06 -0700 (PDT)
Received: (qmail 50754 invoked from network); 18 Apr 2014 15:44:02 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=c640.53514842.k1404; bh=So1Ms3ihlwTLKndp+M6e/Wlz5Lpm2XQ08Y4uUU9FdpU=; b=Vk3zBLybkNRVC45+nSmfQ3jslKFQGzL6FEo9xhcEgJjCSi6FW/dNOzOGrzLUgk/dJXRM3zV1mklEeSsXfdx7cLyZvihR68xfjByhRyF3033JE5+B+sEsF9aOkUC6rwF12IfDErn/wphjtWI0YANRLNeb61R6OIzGiPnQOVgC9Rkb2cu3sl3Phx1j6V2a82qCUPF5AeSW06PPpdeb+IT2SM1zSYpeGEd+XNHXR6jc6DJGNoRhb0dMU/RifWqvgdVs
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent:cleverness; s=c640.53514842.k1404; bh=So1Ms3ihlwTLKndp+M6e/Wlz5Lpm2XQ08Y4uUU9FdpU=; b=RTvvveEBttFhM0N8z3avO1sO9Fk8H1aVXLkX0grT8TLQbkMRp7I9yoIWGp8SbqyQft7bcBYuTPRIaFoKfnG6A+g8C6ZXThfnUViDBbmfYtGCauw3vuktIyUjB67nWhnMuYqvCJbAM9jLgftCA13/TuF1y3qOckFkP0Iujzk5sJyc90HA+ZgLEiDJfXgevrnaAG8OZljKhQ3dJ9SXIxL4Vx9LRHO1kGhBoYgUA2IS87KizZJx2lKGgqleoWGrcfoL
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 18 Apr 2014 15:44:02 -0000
Date: Fri, 18 Apr 2014 11:44:00 -0400
Message-ID: <alpine.BSF.2.00.1404181129010.4704@joyce.lan>
From: John R Levine <johnl@taugh.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
In-Reply-To: <CAL0qLwbhw6uG=JenLLjJbDGr63NjpJ-s70z9FuwzO_LGzOM7SA@mail.gmail.com>
References: <20140418021925.2979.qmail@joyce.lan> <CAL0qLwbhw6uG=JenLLjJbDGr63NjpJ-s70z9FuwzO_LGzOM7SA@mail.gmail.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: MULTIPART/signed; protocol="application/pkcs7-signature"; micalg="sha1"; BOUNDARY="3825401791-1108576077-1397835842=:4704"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-822/ToxhMQgjGylH6TAQGKTzOvjDXzw
Cc: ietf-822@ietf.org
Subject: Re: [ietf-822] A permission to re-sign header
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 15:44:10 -0000

>> This is a permission to re-sign for a message From:
>> marissam@yahoo.com, to be re-signed by a mailing list at ietf.org. The
>> s= and a= and t= are the same as DKIM, the b= is a signature of a hash
>> of the M-R header, similar to the b= signature in a DKIM-Signature.
>> [...]
>
> Could the same thing be accomplished by a slight adjustment to VBR,
> allowing a zone to vouch for another with the specific meaning that this
> means X is authorized to generate mail for Y as long as X signs it?

VBR is just a hint saying go look at a whitelist.  It has no inherent 
security and only works because it assumes the receiver already knows what 
whitelists it trusts.  (This must be obscure, too many people told us VBR 
was stupid because anyone could build a fake whitelist and point VBR 
headers at it.)

Do you mean that every DMARC publisher would have its own exception 
whitelist, and the adjustment would be to assume the whitelist is credible 
if its name matches the From: domain?  I suppose that could work, although 
expecting every domain to publish its own whitelist seems unlikely to 
scale.  A domain could indirectly use someone else's domain whitelist via 
DNAME, but urrghh.

If we expect there to be a handful of widely used DMARC exception 
whitelists, a mailing list could certainly use VBR as defined to point at 
the whitelist(s) in which its signing domain is included.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

v2.23.0 | Report a Bug | By Email