IETF Logo Mail Archive

Re: [ietf-822] one can re-sign without a permission to re-sign header

Douglas Otis <doug.mtview@gmail.com> Fri, 02 May 2014 07:42 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD6E1A6EFF for <ietf-822@ietfa.amsl.com>; Fri, 2 May 2014 00:42:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_110=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TB1PT4dyZVzg for <ietf-822@ietfa.amsl.com>; Fri, 2 May 2014 00:42:46 -0700 (PDT)
Received: from mail-pa0-x229.google.com (mail-pa0-x229.google.com [IPv6:2607:f8b0:400e:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 86DF01A6EEF for <ietf-822@ietf.org>; Fri, 2 May 2014 00:42:46 -0700 (PDT)
Received: by mail-pa0-f41.google.com with SMTP id lj1so2262446pab.28 for <ietf-822@ietf.org>; Fri, 02 May 2014 00:42:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=oXlIbqBxM20cX3ALd1dD/jzzr6jcEXNaYPBXZ4qldHY=; b=GNj6FWAr9W+cqimKQvjPlLW17okIKBxTCVYCyc/eyUERATTjyf0DsucijEi538Erjd r7AvDQjMu0BW9WCKBHb7TcmJGoWHJOi1W7SMTo0cYEL7k6kcWq8RZNOE8tf+2mBI8sOe 2f+kXI+acPAHDF+2MvuxUa3tmj3XGwySczPrfWxMIM7mtOBM76EJ9GHSZ1fwqfyhj5Y3 1mLwRvlwWfRzWgM+FkZju8dEeNiNI7uMVDCBs8nCUNNnWSu8bCv1Q4IZTRhxInL7m+QN 3q5sC7FVRnLMrNI8YINuNlq3NVhbmCSWTiq+EjK+OxH32vR15TvmdWV2+FAF7I4JwndQ c4eA==
X-Received: by 10.66.144.102 with SMTP id sl6mr31276913pab.96.1399016564303; Fri, 02 May 2014 00:42:44 -0700 (PDT)
Received: from ?IPv6:2601:9:7680:203:397b:5811:3631:1a0? ([2601:9:7680:203:397b:5811:3631:1a0]) by mx.google.com with ESMTPSA id xk1sm176289226pac.21.2014.05.02.00.42.42 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 02 May 2014 00:42:43 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <20140501195449.68225.qmail@joyce.lan>
Date: Fri, 02 May 2014 00:42:44 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <F6DBFB28-ADDD-4248-BB7D-C049F30C9FF9@gmail.com>
References: <20140501195449.68225.qmail@joyce.lan>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-822/aKRU8IkPe2YX4yf6ZAoy-usCL9U
Cc: ietf-822@ietf.org, presnick@qti.qualcomm.com
Subject: Re: [ietf-822] one can re-sign without a permission to re-sign header
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 07:42:47 -0000

On May 1, 2014, at 12:54 PM, John Levine <johnl@taugh.com> wrote:

>> author's site. That shouldn't require the mailing list to communicate 
>> with the author's site, but it might require the author's site to get 
>> something from the mailing list's site.
> 
> That seems overcomplicated.  Just make the expiration time fairly
> short, since it's a rare mailing list that takes more than a day to do
> its thing.
> 
>>> Perhaps it's time for a more concrete proposal to be written down.
> 
> It occurred to me that there's a very simple way to do this:
> 
> http://datatracker.ietf.org/doc/draft-levine-may-forward/

Dear John,

Thank you for taking time to create this draft.  It seems to meet Pete's expectations.  As suggested, it also provides a repository of replay-able cryptographic tokens aimed at defeating both DMARC and DKIM protection when used in a timely fashion.  Should all mailing-lists hold DMARC protected messages until DKIM signatures expire?  Perhaps even add warnings in the friendly name that such messages are only intended for third-party services.

Author Domains still need to signal their understanding of the message's destination. Not really any different from TPA, but TPA does not impact how mailing-lists or other third-party services work, or potentially defeat protections of other messages, or change the signatures being applied. At least, this draft suggests the Author Domain cares about the harm their DMARC policy might cause.  Setting p=quarantine seems much easier.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email