Re: [Ietf-dkim] Adding an aim= tag to DKIM Signature Tag Specifications
Hector Santos <hsantos@isdg.net> Tue, 12 May 2020 14:26 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBD5D3A0B65 for <ietf-dkim@ietfa.amsl.com>; Tue, 12 May 2020 07:26:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=GXYoV1L2; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=GfWZYFMF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z0B_CyRPGPBn for <ietf-dkim@ietfa.amsl.com>; Tue, 12 May 2020 07:26:17 -0700 (PDT)
Received: from mail.winserver.com (secure.winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 875D73A0B4D for <ietf-dkim@ietf.org>; Tue, 12 May 2020 07:26:16 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=3724; t=1589293568; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=hRJRlf7r6ZXy1bnscMk1hCyzOhE=; b=GXYoV1L2mIuzbyv9y5hGkoQO1mHwUL6QrZEc+abeO2D96tcUST4vnQJ0TphRtu +1MQVg0fhGu5b4nw/v22M7mQtFz5oFCVJTo/AyRDN4sborYIOVYj2hSldlP87cNp CuicWcCTzm1Q4REfN62ZHdyiHampEVWZVn/uEghsdezqM=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.9) for ietf-dkim@ietf.org; Tue, 12 May 2020 10:26:08 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.9) with ESMTP id 20905269.1.5424; Tue, 12 May 2020 10:26:08 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=3724; t=1589293201; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=w8y41Ob lRFvsiXPpe/cmxbU6ytMaSqlkOwH/xC7yl9E=; b=GfWZYFMFvc7zQ7u2FuaNgqT oxop/UvyYNxne5lEP+d/UUtD/y6JcGDBntsJorHJbf0oU9mgxxXc4NaWBb2foGnL 07UIPdvVOUikpa3bROT9Je2Ggg6WcqZIcyTTB4IMI9wIW2Y3LXj6v7AGMjQkytIo x7WCkGKs906mOGJd+8Eo=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.9) for ietf-dkim@ietf.org; Tue, 12 May 2020 10:20:01 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.9) with ESMTP id 1027275281.3.9968; Tue, 12 May 2020 10:20:00 -0400
Message-ID: <5EBAB200.3070907@isdg.net>
Date: Tue, 12 May 2020 10:26:08 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: ietf-dkim@ietf.org
References: <80533fb3-75a2-1d60-801d-c54d735d4094@tana.it>
In-Reply-To: <80533fb3-75a2-1d60-801d-c54d735d4094@tana.it>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/WQeHbzBaV3ix6a7FABbXqD1SWB0>
Subject: Re: [Ietf-dkim] Adding an aim= tag to DKIM Signature Tag Specifications
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2020 14:26:20 -0000
We need to update DMARC or any other DKIM Policy proposal to seriously consider 3rd party signature Authorization methods. We have wasted so much time avoiding it. Sure, it may not apply to all, but neither does DMARC and the push to embed a "half-baked" DMARC into our mail network has created a market of kludges and new security problems with the endorsement of the horrible RFC5322.From rewriting and the creation of a super complex, solve nothing, ARC concept. The DKIM Policy needs additional tags, call it "aim=" if you like, thats publishes and publicly exposes the following ideas: 1) Look, I really mean it, p=reject means NO rewriting. Reject!! 2) Eh, we are flexible, please allow following domains; ietf.org, resign our mail. If you see "ATPS=1" that means we support 3rd party signatures from specific and exclusive domains. 3) Please do not bypass 1 and 2 and perform a RFC5322.From destruction and rewrite violating our published policy and the intent of having DKIM Policy for exclusive mail operations. However, if you see a "rewrite=1" tag, then we don't mind if you rewrite the RFC5322.From field IFF the resigner has an exclusive policy. Simple! Nothing will satisfy everyone. Not DMARC or even a ATPS or TPA or even the DKIM Conditional Signature draft proposal. But we need to offer it to the market to see how it will work. It has already been proven that it works. My package does not allow restrictive domains to sign up to mailing lists, not can existing subscribers can post into the list. It becomes an Read-Only list for them. I am not going to Rewrite. I want to sleep at night. But if ATPS or something like is supported, I am extremely confident it will give DMARC an immediate security boost. I am still around here because I have a strong feeling someone more important than me, Maybe Valimail or some other, maybe even google, will eventually get the "Ah Ha" and say "hmmm, there might be something here, let's explore it. It may not work for all domains, but I see where it can have it place with other domains." If these companies, who have such a high investment and product dependency on DMARC as a business, I have been scratching my head why their Project and/or Product R&D guy is not exploring ATPS which exist today. Those wishing to explore ATPS, use this wizard and simulator: https://secure.winserver.com/public/wcDMARC -- HLS On 5/11/2020 1:21 PM, Alessandro Vesely wrote: > Hi all, > > consider the famous incipit: > > DomainKeys Identified Mail (DKIM) permits a person, role, or > organization to claim some responsibility for a message by > associating a domain name [RFC1034] with the message [RFC5322], which > they are authorized to use. > > The question is, what responsibility is being claimed? Some sites allow > authenticated users to use any From:, but are able to find out who the actual > author was, if needed. Other sites only sign if the From: matches the actual > user, or at least its domain part. Still others just sign everything. > > Discussions about what kind of assurance would a signature imply are rather > frequent. At least, specifying an aim= tag should shred some light on the > various possibilities. > > Tagging keys with aim= would allow senders to choose an appropriate selector > under different circumstances. Some mail sites use different sending IP > addresses to meet a similar purpose. Others use different domain names, opaque > chunks of base64 data, or X-Google-DKIM-Signatures. An aim= would serve a > similar purpose in a more open manner, introducing yet another means to discern > among different mail flows. > > Comments?
- [Ietf-dkim] Adding an aim= tag to DKIM Signature … Alessandro Vesely
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Dave Crocker
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Murray S. Kucherawy
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Damon
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Jim Fenton
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Dave Crocker
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Alessandro Vesely
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Steve Atkins
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Scott Kitterman
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Hector Santos
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Murray S. Kucherawy
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Dave Crocker
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Alessandro Vesely
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Murray S. Kucherawy
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Alessandro Vesely
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Scott Kitterman
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Scott Kitterman
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Murray S. Kucherawy
- Re: [Ietf-dkim] Adding an aim= tag to DKIM Signat… Alessandro Vesely