Re: How to protect DKIM signatures: Moving ADSP to Historic, supporting DMARC instead
Hector Santos <hsantos@isdg.net> Thu, 03 October 2013 23:55 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EFD321F8F97 for <ietf@ietfa.amsl.com>; Thu, 3 Oct 2013 16:55:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.36
X-Spam-Level:
X-Spam-Status: No, score=-102.36 tagged_above=-999 required=5 tests=[AWL=0.239, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9KtOcgmCxlZu for <ietf@ietfa.amsl.com>; Thu, 3 Oct 2013 16:54:48 -0700 (PDT)
Received: from groups.winserver.com (secure.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id C9E3121E8082 for <ietf@ietf.org>; Thu, 3 Oct 2013 16:54:42 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4043; t=1380844474; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=hCu7jsje0il+qmISCfPSL3OocnA=; b=qPFThCtmVrbqLm4QRCvp QjBsyi8USqGBcHqpGKfGwJO0k8NHC652UfgkfzPB5p+xk5FzeYrz45MOUF8E4gh4 j/hMn+jI9GDBTdpEPY3+iAq8ROQeBzvniZmCmx4GcmWdjn3Xsekzk1ljk31WpK+C O3+bo7/wDfD6mK5a+5j8Wpg=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Thu, 03 Oct 2013 19:54:34 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 3011978792.4443.3724; Thu, 03 Oct 2013 19:54:32 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4043; t=1380844087; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=hmASYUg +lDJRJzP4VNWPX/Fcvl+p/qGnlE/h+r92ZsM=; b=r1sRd28U8iz1dBglATRIi5Z Z/ZzGv+9fipluj07a8R+VO+vNWyplCAAoegYfMkR60MaxCO1jqaHW2SXEv5kqz+H AGAPpkXaqKed+jba2CrYqROX69QXYN3Jgp5PQwuZw2M5lNn0MVZ40pAhV+rT62wV ESbpcA+ABc6K6JseXTWY=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Thu, 03 Oct 2013 19:48:07 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 2458368222.9.4312; Thu, 03 Oct 2013 19:48:06 -0400
Message-ID: <524E03BB.4030607@isdg.net>
Date: Thu, 03 Oct 2013 19:54:35 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Douglas Otis <doug.mtview@gmail.com>
Subject: Re: How to protect DKIM signatures: Moving ADSP to Historic, supporting DMARC instead
References: <20131002144143.20697.85830.idtracker@ietfa.amsl.com> <CAL0qLwZQcXm=EauyKXVqGaUB99sTQgxf2csy0_N489TdfwRr4A@mail.gmail.com> <524D5ACF.3020008@isdg.net> <2F9821D3-C782-46FD-8AD6-B988CF0E6C55@gmail.com> <524DCBA0.1090302@isdg.net> <CAC4RtVCOtpUtziSOsa3N=vzKO3_gBHAm4UWhSQVgECdhc2zJcw@mail.gmail.com> <F8768A46-0C02-4884-87FE-78FFD4C6D3C8@gmail.com>
In-Reply-To: <F8768A46-0C02-4884-87FE-78FFD4C6D3C8@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Barry Leiba <barryleiba@computer.org>, ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2013 23:55:13 -0000
On 10/3/2013 6:25 PM, Douglas Otis wrote: > > On Oct 3, 2013, at 1:37 PM, Barry Leiba <barryleiba@computer.org> wrote: > >> To both Doug and Hector, and others who want to drift in this direction: >> >> As I've said before, the question of moving ADSP to Historic is one >> we're taking on its own, and is not connected to anything we do or >> don't do with DMARC. Bringing DMARC into the discussion is a >> distraction, and, worse, makes it look like there's a tie-in. There >> is not. > > Dear Berry, > > Even John Levine the author had opine along these same lines. The response to Hector was agreeing a reason should be given, along with agreeing with his justifications. The tie-in may be limited, but nevertheless DMARC has become the chosen alternative. It seems if any reasons are given for moving ADSP to historic it also should conjecture why DMARC and not ADSP, unless your point is nothing has been learned? > Doug, the whole problem was the middleware, the mailing list software or the 3rd party resigners who were either not supporting DKIM, ignorant of policy protocols and/or that did wish to have any 1st party domain controls dictating what mail can be resigned or not. If DMARC is the "chosen alternative" we are still repeating the same related issues with this Author Domain Domain Policy Protocol as well. The mailing list software needs to support this otherwise we still have the same problems as with ADSP. In short, a subscriber to a list using a DOMAIN that is DMARC restrictive will also have a potential to cause automated unsubscribe events to members with DMARC compliant receivers supporting the DMARC restrictive policies. Same thing as with ADSP, just change the protocol name. Keep in mind that DMARC promises to offer better ADSP or as it documents "Super ADSP," in fact it outlines what seems to be the short comings of ADSP: http://tools.ietf.org/html/draft-kucherawy-dmarc-base-01#appendix-A.5 A.5. Issues With ADSP In Operation DMARC has been characterized as a "super-ADSP" of sorts. Contributors to DMARC have compiled a list of issues associated with ADSP, gained from operational experience, that have influenced the direction of DMARC: 1. ADSP has no support for subdomains, i.e., the ADSP record for example.com does not explicitly or implicitly apply to subdomain.example.com. If wildcarding is not applied, then spammers can trivially bypass ADSP by sending from a subdomain with no ADSP record. 2. Non-existent subdomains are explicitly out of scope in ADSP. There is nothing in ADSP that states receivers should simply reject mail from NXDOMAINs regardless of ADSP policy (which of course allows spammers to trivially bypass ADSP by sending email from non-existent subdomains). 3. ADSP has no operational advice on when to look up the ADSP record. 4. ADSP has no support for using SPF as an auxiliary mechanism to DKIM. 5. ADSP has no support for a slow roll-out, i.e., no way to configure a percentage of email on which the receiver should apply the policy. This is important for large-volume senders. 6. ADSP has no explicit support for an intermediate phase where the receiver quarantines (e.g., sends to the recipient's "spam" folder) rather than rejects the email. 7. The binding between the "From" header domain and DKIM is too tight for ADSP; they must match exactly. We must consider that the requestor for the ADSP status change has also authored a DMARC "BCP:" Using DMARC http://tools.ietf.org/html/draft-crocker-dmarc-bcp-01 This draft only mentions ADSP once, and very briefly: 10. Interaction Issues Some issues come into play when DMARC is used in conjunction with one or more other services. o Sender using both DMARC and ADSP Ok, like what? Lets try to get the issues straight. We are talking about dropping work that is already active in replace of some "super-ADSP" protocol. Can we get it right please? -- HLS
- Re: Last Call: Change the status of ADSP (RFC 561… John Levine
- Re: Last Call: Change the status of ADSP (RFC 561… John C Klensin
- Re: Last Call: Change the status of ADSP (RFC 561… Barry Leiba
- RE: Last Call: Change the status of ADSP (RFC 561… ietfdbh
- Re: Last Call: Change the status of ADSP (RFC 561… Dave Crocker
- Re: Last Call: Change the status of ADSP (RFC 561… John C Klensin
- Re: Last Call: Change the status of ADSP (RFC 561… Murray S. Kucherawy
- Re: Last Call: Change the status of ADSP (RFC 561… Hector Santos
- Re: Last Call: Change the status of ADSP (RFC 561… Barry Leiba
- Re: Last Call: Change the status of ADSP (RFC 561… Alessandro Vesely
- Re: Last Call: Change the status of ADSP (RFC 561… Scott Kitterman
- Re: Last Call: Change the status of ADSP (RFC 561… Hector Santos
- Re: Last Call: Change the status of ADSP (RFC 561… John C Klensin
- Re: Last Call: Change the status of ADSP (RFC 561… Hector Santos
- Re: Last Call: Change the status of ADSP (RFC 561… Douglas Otis
- Re: Last Call: Change the status of ADSP (RFC 561… Murray S. Kucherawy
- How to protect DKIM signatures: Moving ADSP to Hi… Hector Santos
- Re: How to protect DKIM signatures: Moving ADSP t… Barry Leiba
- Re: How to protect DKIM signatures: Moving ADSP t… Hector Santos
- Re: How to protect DKIM signatures: Moving ADSP t… Douglas Otis
- Re: Last Call: Change the status of ADSP (RFC 561… Murray S. Kucherawy
- Re: How to protect DKIM signatures: Moving ADSP t… Hector Santos
- Re: Last Call: Change the status of ADSP (RFC 561… Dave Crocker
- Re: Last Call: Change the status of ADSP (RFC 561… Barry Leiba
- Re: Last Call: Change the status of ADSP (RFC 561… Dave Crocker
- Re: Last Call: Change the status of ADSP (RFC 561… Ted Lemon
- Re: Last Call: Change the status of ADSP (RFC 561… Dave Crocker
- Re: Last Call: Change the status of ADSP (RFC 561… Alexey Melnikov
- Re: Last Call: Change the status of ADSP (RFC 561… Dave Crocker
- Re: Last Call: Change the status of ADSP (RFC 561… Barry Leiba
- Re: Last Call: Change the status of ADSP (RFC 561… Barry Leiba
- Re: Last Call: Change the status of ADSP (RFC 561… Dave Crocker
- Re: Last Call: Change the status of ADSP (RFC 561… Bob Braden
- Re: Last Call: Change the status of ADSP (RFC 561… Eliot Lear
- Re: Last Call: Change the status of ADSP (RFC 561… Ted Lemon
- Re: Last Call: Change the status of ADSP (RFC 561… Ted Lemon
- Re: Last Call: Change the status of ADSP (RFC 561… Barry Leiba
- Re: Last Call: Change the status of ADSP (RFC 561… Dave Crocker
- Re: Last Call: Change the status of ADSP (RFC 561… Eliot Lear
- Re: Last Call: Change the status of ADSP (RFC 561… Ted Lemon
- Re: Last Call: Change the status of ADSP (RFC 561… John C Klensin
- Re: Last Call: Change the status of ADSP (RFC 561… John C Klensin
- Re: Last Call: Change the status of ADSP (RFC 561… Hector Santos
- Re: Last Call: Change the status of ADSP (RFC 561… Bradner, Scott
- Re: Last Call: Change the status of ADSP (RFC 561… Dave Crocker
- Re: Last Call: Change the status of ADSP (RFC 561… Bradner, Scott
- Re: Last Call: Change the status of ADSP (RFC 561… Barry Leiba
- Re: Last Call: Change the status of ADSP (RFC 561… Murray S. Kucherawy
- Procedural Changes through side-effect (was: Re: … John C Klensin
- Re: Last Call: Change the status of ADSP (RFC 561… Dave Crocker
- Re: Procedural Changes through side-effect (was: … S Moonesamy
- Spontaneous Procedure Invention ( was Re: Procedu… Dave Crocker
- Re: Last Call: Change the status of ADSP (RFC 561… Barry Leiba
- Re: Last Call: Change the status of ADSP (RFC 561… S Moonesamy
- Re: Last Call: Change the status of ADSP (RFC 561… Barry Leiba
- Re: Last Call: Change the status of ADSP (RFC 561… S Moonesamy