IETF Logo Mail Archive

Re: [Ietf-dkim] Call for adoption results: draft-ietf-dkim-replay-problem Adopted

Jon Callas <jon@callas.org> Mon, 14 August 2023 17:53 UTC

Return-Path: <jon@callas.org>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB9A4C15199F for <ietf-dkim@ietfa.amsl.com>; Mon, 14 Aug 2023 10:53:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=callas.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T_Ftk53eWPjp for <ietf-dkim@ietfa.amsl.com>; Mon, 14 Aug 2023 10:53:32 -0700 (PDT)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AD1EC151996 for <ietf-dkim@ietf.org>; Mon, 14 Aug 2023 10:53:32 -0700 (PDT)
Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1bdf7086ae5so857305ad.0 for <ietf-dkim@ietf.org>; Mon, 14 Aug 2023 10:53:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=callas.org; s=google; t=1692035611; x=1692640411; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=SH5NMFxiCuothqmIIRQ1ijYf5FO8yyBhsfiDsQ+Ey4g=; b=BJIxh8CLjAs1SHTENCHvpPZjwzjAgQKxQMtOgRbLVOArkbxY8OPEm0vkoOZ18paxbc c8LKfO4kllwE5h01paR+ojH2PIZVNEEMehXBrWHjbNKzWC5IhNlKj7cxJWIdaYYr6X22 56c0eF5p5/NT3mgk7FZA9gDemqLe0mPRXg+SS85agkZu+cvDt8kj+bwj8cCPfvX9escR vrnTTlIIByBK49kY0j6Cb39EZcKJAtKs+L9XCUSU3qMZGD7octngaloaDE6bI1GsL4+H 41oiufEmSrtV/bP3OfyPptxrkgu3NcNWzyjuT/RTQNaxf9uhL1+jfdQbdaAuEGsPmWzh OtKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692035611; x=1692640411; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SH5NMFxiCuothqmIIRQ1ijYf5FO8yyBhsfiDsQ+Ey4g=; b=CPkSG7hfKdaF6Z5lHD8N2ZjFy6ly3KNRDyQRthJBaSp4J4OQozLI9/bvJgcOXCH66t JR22h+drNgZRzwE37sPjh1ysS8IRS6LIxNLpgL3LZ15ryn5BgtyhS83jFQN4sRjsSH3S aOUHNnYG7p3NsSzg3seUxIUK9VaVoicl/c2RnKLsyMW0pobHbWXyyfzbV5WFvDaRuGsG ot9nkkALAcS8XV4sZNquPLq1SrAsY/gP6/WKPL8LB8sOyUX/v1ntbSZdr3Bblg5u5R6q yHttII81yPMjUjqrVbwlv2G34/Ys7UPhyDc2OYSWST7EIjTIB3gkrHzI1w0IBmbnSDJ7 zVXA==
X-Gm-Message-State: AOJu0YxY1CzVYHpbCOIFHYidcG5+Oa3LI6lOuJ3Voshz+F/sanSmfCsx LD0hhoVavlRTVFfcpBAqHBwVbg==
X-Google-Smtp-Source: AGHT+IHg7SjYQ+/tkWb5+TdufESwS7erM0ZasOPgUM6FFs4GxkJhpBG/r6JYa0uT2Gne5QVkALmL9w==
X-Received: by 2002:a17:902:c404:b0:1bd:cde4:8b3a with SMTP id k4-20020a170902c40400b001bdcde48b3amr9133254plk.23.1692035610961; Mon, 14 Aug 2023 10:53:30 -0700 (PDT)
Received: from smtpclient.apple ([2600:1700:38c4:12bf:9960:75f9:6d9e:40c4]) by smtp.gmail.com with ESMTPSA id j12-20020a170902c3cc00b001bdc208ab82sm6698961plj.97.2023.08.14.10.53.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Aug 2023 10:53:30 -0700 (PDT)
From: Jon Callas <jon@callas.org>
Message-Id: <F230EA50-826B-4EE6-8E45-0AF4FA2C2E1A@callas.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A426716F-92AC-4FA0-9F07-F2FCD09A1845"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Mon, 14 Aug 2023 10:53:19 -0700
In-Reply-To: <f0ef5677-9ccd-44c9-b6d4-858d53d36269@app.fastmail.com>
Cc: Jon Callas <jon@callas.org>, Steffen Nurpmeso <steffen@sdaoden.eu>, ietf-dkim@ietf.org
To: Jesse Thompson <zjt@fastmail.com>
References: <66CF1130-1BF9-40F2-BBAF-F3A49A5BC1C8@wordtothewise.com> <95c9c13c-de13-5688-abcc-531d58f8598d@dcrocker.net> <CALaySJ+jDUGw5y6Lnb7cSfcM+ESD8CFCyOq2cFB5YkDC8BYK+A@mail.gmail.com> <2063DBB7-10F9-4B05-8B60-023DAC0808AA@wordtothewise.com> <0bdf58a4-84a9-437a-b6e9-66910ebffb9b@app.fastmail.com> <B550D53E-25B2-468D-94CD-2C1333E2B186@wordtothewise.com> <CAAFsWK1zzH35NB5BiEJm+Hkqk0WdMgy2PH0hoRXRQJ=GJTGiLQ@mail.gmail.com> <CAFcYR_XVMBqGKppLhJFakYdJNUSManfh2ESjxc9JnWnKKJ38GA@mail.gmail.com> <0b06252d-73f5-4a8f-a830-25761ab7f063@app.fastmail.com> <CAFcYR_UORPD3NsYjVS9k6bOjX-AXDRaXSBQG3oNim0ApKiiGOg@mail.gmail.com> <CAL0qLwaNE8rWFLXjRk6yUVqmY9nzTNQ9JdeQE7-SR29cvWQ3NA@mail.gmail.com> <a506581d-56c8-4440-a2d9-7d045a7ab650@app.fastmail.com> <CAL0qLwYY=7LSyF4bcRCOWk6TCkdW+G63QatZJG5pFE-hB6FfpA@mail.gmail.com> <0526343d-0b31-4fce-b92a-3f44de19b150@app.fastmail.com> <31FEC684-2161-47D5-B022-9CF134AB8767@wordtothewise.com> <CAL0qLwatb6-egZ8+-LxE=4wc5q1xfr3xRwAjV=95vHgzwgX7fQ@mail.gmail.com> <20230809160632.VgxW6%steffen@sdaoden.eu> <CAL0qLwYJf2WyZ4jbDtFptkOghpAF7GPYkkCNnvHOqEkV_Sv4zw@mail.gmail.com> <9bbf617b-13c6-4be5-841f-2a36b702de51@app.fastmail.com> <20230811213456.hA9TD%steffen@sdaoden.eu> <5859b14f-64d3-4ad1-a322-c2ed927e64b4@app.fastmail.com> <20230812193147._ESNc%steffen@sdaoden.eu> <f0ef5677-9ccd-44c9-b6d4-858d53d36269@app.fastmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/rakym1Ehq2MZ866xrcOdP4Q2AGc>
Subject: Re: [Ietf-dkim] Call for adoption results: draft-ietf-dkim-replay-problem Adopted
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2023 17:53:36 -0000


> On Aug 13, 2023, at 20:31, Jesse Thompson <zjt@fastmail.com> wrote:
> 
> If I understand based on my limited view of history, DKIM was designed for authentication between two hops. Signature survival across intermediaries was only achievable by encouraging intermediaries to not make any changes to the message "inside the envelope" such as standards-allowed MIME re-encoding (which, notably, prevents intermediaries from improving MIME interoperability).

I'm not the first to say it, but it was  the opposite. The original statement from the Domain Keys folks from Yahoo was that when your bank sends an email to you, your ISP can know that, even though it's bounced through your alumni association. It was *specifically* a three-hop thing in the distilled elevator pitch.

Remember as well that for two-hop sending, SPF was a preferred thing and there was a lot of conversation that tried to put them as competitors. We argued against that. I think it's pretty obvious that the two together are much better than either alone.

Here's a vastly oversimplified case. Consider someone who runs email on a small, NATted network. Under SPF, if a spammer sends a message from any host outward, it has the same path and thus passes SPF despite being spam. 
DKIM is domain-to-domain authentication, not user-to-user, because user relationships are complex. Here's a not-uncommon example:

Incoming email sent to info@domain goes into Alice's mailbox, via something akin to virtual users in Postfix. From time to time Alice sends a message from info@, without there being an actual user. The DKIM edge MTA signs it. That means that the mail architecture has to deal with the gap between Alice and that signing MTA. Any given setup is either a bug or a feature that they, not we, have to manage. Delegated email is a thing.

Pulling in what you said above that:

> [...] If DKIM is what is used by ESPs to authenticate message submissions, and the fallback for non-DKIM signed mail is to allow the submission, then certainly that is something spammers would leverage. That seems like an unlikely scenario since ESPs require other forms of authenticating message submission.

I'm not sure I really understand your case here.

DKIM authenticates the "administrative domain" of the sender, not the user. As noted above, the domain has to do a bunch of user management that's outside the scope of DKIM. That management can be strict (any user can only send email with their own From on it) or loose (any user can just telnet to port 25 and start sending emails from anything) or anything in between, and any decision has consequences the sysadmins have to adapt on their own.

I think you're saying more or less what I was saying, but I'm not sure.

As a last note, internal signatures like OpenPGP, and S/MIME, and anything else are inside the message and thus orthogonal to DKIM (and SPF).

Thus, SPF is a verification of the network path. DKIM is an authentication of the sending MTA. S/MIME etc. is an authentication of the sender. Each has its own failure modes, and each has weird edge conditions and gray areas. I look at it as they go up a stack of sorts -- network -> domain -> user.

	Jon

v2.23.0 | Report a Bug | By Email