IETF Logo Mail Archive

Re: [ietf-822] WSJ/gmail/ML, was a permission to...

Hector Santos <hsantos@isdg.net> Mon, 05 May 2014 16:10 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 292231A03AA for <ietf-822@ietfa.amsl.com>; Mon, 5 May 2014 09:10:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.102
X-Spam-Level:
X-Spam-Status: No, score=-98.102 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_41=0.6, J_CHICKENPOX_54=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pRnFr4-Wgj8L for <ietf-822@ietfa.amsl.com>; Mon, 5 May 2014 09:10:44 -0700 (PDT)
Received: from listserv.winserver.com (news.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id AE9801A03A1 for <ietf-822@ietf.org>; Mon, 5 May 2014 09:10:43 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1750; t=1399306233; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=ag1kZVm1qunozG1jCZcHujA1SLE=; b=alpv7WTJqy1I1YKALFHZ wJgA2wpE6byT8U1lmQym25hYaD1TSGW/q+//dimcYx9wtcri1J+6Xe/uXoJJDsQH 1zNA2raTqjwQ7zFYY6QMSv4JrvEifA2TrcFssyR8pJRpgfIF8h+M/klxczN4VSDl z0wy+F+F7+Ch7r9TR0pR7dc=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf-822@ietf.org; Mon, 05 May 2014 12:10:33 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from opensite.winserver.com (beta.winserver.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 2414791159.3.2304; Mon, 05 May 2014 12:10:33 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1750; t=1399306130; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=EQKybxQ VZ7L/EX63qtFJVoGbOggMqSx3JRLUC0Uxurk=; b=jH9zUZ/c4rCpDqPYKTX1LTK NT7d5MPBH83gzKH6abQuwqfod+W4vvjLl7YxEsDCWRE9Y25o0saY4nUCZCqNPSRd qHty/tt4Q0sv+EVvYakmZM37sEIGozzgKuTls9GHudHg+lk/RXTeyABR1VlXuVCF AtMtAXS2N+Y8x+ThCV4Y=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf-822@ietf.org; Mon, 05 May 2014 12:08:50 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 2434305937.9.15160; Mon, 05 May 2014 12:08:49 -0400
Message-ID: <5367B7F4.8030407@isdg.net>
Date: Mon, 05 May 2014 12:10:28 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: ietf-822@ietf.org
References: <20140418123721.3610.qmail@joyce.lan> <5365357D.2020101@tana.it> <53653C7A.3090304@pscs.co.uk> <53655C13.9070201@isdg.net> <6116.1399163723@sandelman.ca> <536687F5.2040503@isdg.net> <12781.1399231977@sandelman.ca>
In-Reply-To: <12781.1399231977@sandelman.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-822/jUJKqTR3dmgR_a126czrdwXcDPI
Subject: Re: [ietf-822] WSJ/gmail/ML, was a permission to...
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 16:10:46 -0000

On 5/4/2014 3:32 PM, Michael Richardson wrote:
>
> Uhm, there is a limit on how big a TXT record can be.
> As far as I can see, I have to list all the mailing lists into asl=

If it fits your "Small scale" needs, ok. But the complete solution is 
with both ASL and/or the ATPS proposal.

ASL is a "smaller scale" solution using a "asl=" tag list of domains 
fitting as much as you can into a 512 byte TXT record without forcing 
a UDP->TCP fallback query switch.

For larger scale need, the ATPS method is to have one TXT record per 
authorized 3rd party signer domain. Is that OK?  Can that be improved?

This would be the suggested DMARC compliant receiver's Check Signing 
Practice (CSP) procedure for DMARC with the extended ASL, ATPS support:

1) Obtain the 5322.From header AUTHOR-DOMAIN and perform a
    DNS TXT query for "_dmarc.AUTHOR-DOMAIN" to obtain a
    policy record.

    If no DMARC record is found (NXDOMAIN),
       return result DMARC=NONE

2) Obtain the 5322.DKIM-Signature header SIGNER-DOMAIN and
    compare with the AUTHOR-DOMAIN.

    If the two domains are the same,
       return DMARC=PASS (authorized 1st party signer).

    otherwise continue with third party authorization checking.

3) If the DMARC record "asl=" tag is present, check the
    SIGNER-DOMAIN within the "asl=" list of domains.

    If SIGNER-DOMAIN is found in the "asl=" list,
       return DMARC=PASS (authorized 3rd party signer).

4) If an atps=y tag is present, perform the steps as outlined
    in ATPS (RFC6541) which is to lookup the TXT record existence
    for:

       base32(sha1(SIGNER-DOMAIN))._atps.AUTHOR-DOMAIN

    If the TXT record exist,
       return DMARC=PASS (authorized 3rd party signer)

6) return DMARC=FAIL (unauthorized signer).


-- 
HLS

v2.23.0 | Report a Bug | By Email