Re: [IETF] DMARC methods in mailman
John C Klensin <john-ietf@jck.com> Mon, 26 December 2016 16:08 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81BD4129451 for <ietf@ietfa.amsl.com>; Mon, 26 Dec 2016 08:08:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EiVrP0EBrkE for <ietf@ietfa.amsl.com>; Mon, 26 Dec 2016 08:08:22 -0800 (PST)
Received: from bsa3.jck.com (static-65-175-133-137.cpe.metrocast.net [65.175.133.137]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB58412943A for <ietf@ietf.org>; Mon, 26 Dec 2016 08:08:21 -0800 (PST)
Received: from hp5.int.jck.com ([198.252.137.153] helo=JcK-HP5.jck.com) by bsa3.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1cLXow-0008gH-FQ; Mon, 26 Dec 2016 11:08:18 -0500
Date: Mon, 26 Dec 2016 11:08:13 -0500
From: John C Klensin <john-ietf@jck.com>
To: Theodore Ts'o <tytso@mit.edu>, Viktor Dukhovni <ietf-dane@dukhovni.org>
Subject: Re: [IETF] DMARC methods in mailman
Message-ID: <945D78ECE385B7BCC78B8F8B@JcK-HP5.jck.com>
In-Reply-To: <20161226144901.f4ym2d6bzz5zxafp@thunk.org>
References: <m1cKvWY-0000HFC@stereo.hq.phicoh.net> <EA2191A9-CF62-4984-8275-E0295A207237@gmail.com> <35FC8FF8-A4E6-423F-994C-304B4B3AAF94@dukhovni.org> <20161226144901.f4ym2d6bzz5zxafp@thunk.org>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/3tQ5JekAaohSq8OKbQehz-wpolA>
Cc: IETF general list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Dec 2016 16:08:23 -0000
Just another thought along the same lines. If one is trying to design an MUA (or web browser) to reduce phishing risk, the following two design decisions should be high on the list of things to avoid doing: (i) If a message arrives with a head field of From: Santa Claus <satanic-being@evil.example> display From: Santa Claus to the user, presumably on the grounds that actual mailboxes are ugly and a bad user experience. (ii) If, in the middle of an HTML page, a construction appears like: <a href="http://evil.example/satanic-being"> https://santa-claus.example.com/ </a> display https://santa-claus.example.com/ to the user without any comment. As long as those implementing popular MUAs and browsers are doing both of those things, it is really hard to hear about the problems DMARC is supposedly solving. john --On Monday, December 26, 2016 9:49 AM -0500 Theodore Ts'o <tytso@mit.edu> wrote: > On Sun, Dec 25, 2016 at 01:05:59PM -0500, Viktor Dukhovni > wrote: >> >> The need for email origin authentication to specify that >> "Sender" preempts "From" has been well understood for a long >> time before there there was DMARC. If there is to be a >> non-broken replacement, it must correct this design error and >> place the "burden" of dealing with that on any MUAs that fail >> to display Sender (as e.g. from <sender> on behalf of >> <author>). > > But if MUA's do this, then it becomes trivial to phish > consumers, which was the original excuse for DMARC. So if > MUA's do this, eventually Yahoo and the other big mail > providers will promulgate a non-standard "fix" that will > bounce message with Sender lines that aren't equal to the From > field. And then what will you do? > > Hint: stop using mail providers that obey non-standard mail > protocols, because they *will* break you eventually, and/or > randomly. > > - Ted >
- Re: [IETF] DMARC methods in mailman John Levine
- Re: DMARC methods in mailman Philip Homburg
- Re: DMARC methods in mailman John Levine
- Re: DMARC methods in mailman Theodore Ts'o
- Re: DMARC methods in mailman Randy Bush
- Re: DMARC methods in mailman Philip Homburg
- Re: DMARC methods in mailman John R Levine
- Re: DMARC methods in mailman S Moonesamy
- Re: DMARC methods in mailman Philip Homburg
- Re: DMARC methods in mailman Philip Homburg
- Re: DMARC methods in mailman Theodore Ts'o
- Re: DMARC methods in mailman S Moonesamy
- Re: DMARC methods in mailman Alexey Melnikov
- DMARC stats for IETF mailing lists (was DMARC met… Alexey Melnikov
- Re: DMARC methods in mailman S Moonesamy
- RE: DMARC methods in mailman Christian Huitema
- Re: DMARC methods in mailman John Levine
- Re: DMARC methods in mailman Randy Bush
- Re: [IETF] DMARC methods in mailman Viktor Dukhovni
- Re: [IETF] DMARC methods in mailman Philip Homburg
- Re: [IETF] DMARC methods in mailman Yoav Nir
- Re: [IETF] DMARC methods in mailman Viktor Dukhovni
- Re: [IETF] DMARC methods in mailman Ted Lemon
- Re: [IETF] DMARC methods in mailman tom p.
- Re: [IETF] DMARC methods in mailman Patrik Fältström
- Re: [IETF] DMARC methods in mailman Philip Homburg
- Re: [IETF] DMARC methods in mailman Theodore Ts'o
- Re: [IETF] DMARC methods in mailman John C Klensin
- Re: [IETF] DMARC methods in mailman Viktor Dukhovni
- Re: [IETF] DMARC methods in mailman John Levine
- Re: [IETF] DMARC methods in mailman Theodore Ts'o
- Re: [IETF] DMARC methods in mailman Viktor Dukhovni
- RE: [IETF] DMARC methods in mailman Christian Huitema
- Re: [IETF] DMARC methods in mailman Viktor Dukhovni
- Re: [IETF] DMARC methods in mailman S Moonesamy
- Re: [IETF] DMARC methods in mailman Dave Crocker
- Re: [IETF] DMARC methods in mailman Theodore Ts'o
- Re: [IETF] DMARC methods in mailman John C Klensin
- Re: [IETF] DMARC methods in mailman Dave Crocker
- RE: [IETF] DMARC methods in mailman Christian Huitema
- Re: [IETF] DMARC methods in mailman Dave Crocker
- Re: [IETF] DMARC methods in mailman Viktor Dukhovni
- Re: [IETF] DMARC methods in mailman Dave Crocker
- Re: [IETF] DMARC methods in mailman Viktor Dukhovni
- Re: [IETF] DMARC methods in mailman Viktor Dukhovni