IETF Logo Mail Archive

Re: How to protect DKIM signatures: Moving ADSP to Historic, supporting DMARC instead

Hector Santos <hsantos@isdg.net> Thu, 03 October 2013 23:55 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EFD321F8F97 for <ietf@ietfa.amsl.com>; Thu, 3 Oct 2013 16:55:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.36
X-Spam-Level:
X-Spam-Status: No, score=-102.36 tagged_above=-999 required=5 tests=[AWL=0.239, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9KtOcgmCxlZu for <ietf@ietfa.amsl.com>; Thu, 3 Oct 2013 16:54:48 -0700 (PDT)
Received: from groups.winserver.com (secure.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id C9E3121E8082 for <ietf@ietf.org>; Thu, 3 Oct 2013 16:54:42 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4043; t=1380844474; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=hCu7jsje0il+qmISCfPSL3OocnA=; b=qPFThCtmVrbqLm4QRCvp QjBsyi8USqGBcHqpGKfGwJO0k8NHC652UfgkfzPB5p+xk5FzeYrz45MOUF8E4gh4 j/hMn+jI9GDBTdpEPY3+iAq8ROQeBzvniZmCmx4GcmWdjn3Xsekzk1ljk31WpK+C O3+bo7/wDfD6mK5a+5j8Wpg=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Thu, 03 Oct 2013 19:54:34 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 3011978792.4443.3724; Thu, 03 Oct 2013 19:54:32 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4043; t=1380844087; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=hmASYUg +lDJRJzP4VNWPX/Fcvl+p/qGnlE/h+r92ZsM=; b=r1sRd28U8iz1dBglATRIi5Z Z/ZzGv+9fipluj07a8R+VO+vNWyplCAAoegYfMkR60MaxCO1jqaHW2SXEv5kqz+H AGAPpkXaqKed+jba2CrYqROX69QXYN3Jgp5PQwuZw2M5lNn0MVZ40pAhV+rT62wV ESbpcA+ABc6K6JseXTWY=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Thu, 03 Oct 2013 19:48:07 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 2458368222.9.4312; Thu, 03 Oct 2013 19:48:06 -0400
Message-ID: <524E03BB.4030607@isdg.net>
Date: Thu, 03 Oct 2013 19:54:35 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Douglas Otis <doug.mtview@gmail.com>
Subject: Re: How to protect DKIM signatures: Moving ADSP to Historic, supporting DMARC instead
References: <20131002144143.20697.85830.idtracker@ietfa.amsl.com> <CAL0qLwZQcXm=EauyKXVqGaUB99sTQgxf2csy0_N489TdfwRr4A@mail.gmail.com> <524D5ACF.3020008@isdg.net> <2F9821D3-C782-46FD-8AD6-B988CF0E6C55@gmail.com> <524DCBA0.1090302@isdg.net> <CAC4RtVCOtpUtziSOsa3N=vzKO3_gBHAm4UWhSQVgECdhc2zJcw@mail.gmail.com> <F8768A46-0C02-4884-87FE-78FFD4C6D3C8@gmail.com>
In-Reply-To: <F8768A46-0C02-4884-87FE-78FFD4C6D3C8@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Barry Leiba <barryleiba@computer.org>, ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2013 23:55:13 -0000

On 10/3/2013 6:25 PM, Douglas Otis wrote:
>
> On Oct 3, 2013, at 1:37 PM, Barry Leiba <barryleiba@computer.org> wrote:
>
>> To both Doug and Hector, and others who want to drift in this direction:
>>
>> As I've said before, the question of moving ADSP to Historic is one
>> we're taking on its own, and is not connected to anything we do or
>> don't do with DMARC.  Bringing DMARC into the discussion is a
>> distraction, and, worse, makes it look like there's a tie-in.  There
>> is not.
>
> Dear Berry,
>
> Even John Levine the author had opine along these same lines.  The response to Hector was agreeing a reason should be given, along with agreeing with his justifications.  The tie-in may be limited, but nevertheless DMARC has become the chosen alternative.  It seems if any reasons are given for moving ADSP to historic it also should conjecture why DMARC and not ADSP, unless your point is nothing has been learned?
>

Doug, the whole problem was the middleware, the mailing list software 
or the 3rd party resigners who were either not supporting DKIM, 
ignorant of policy protocols and/or that did wish to have any 1st 
party domain controls dictating what mail can be resigned or not.

If DMARC is the "chosen alternative" we are still repeating the same 
related issues with this Author Domain Domain Policy Protocol as well. 
   The mailing list software needs to support this otherwise we still 
have the same problems as with ADSP.  In short, a subscriber to a list 
using a DOMAIN that is DMARC restrictive will also have a potential to 
cause automated unsubscribe events to members with DMARC compliant 
receivers supporting the DMARC restrictive policies.   Same thing as 
with ADSP, just change the protocol name.

Keep in mind that DMARC promises to offer better ADSP or as it 
documents "Super ADSP," in fact it outlines what seems to be the short 
comings of ADSP:

    http://tools.ietf.org/html/draft-kucherawy-dmarc-base-01#appendix-A.5

    A.5.  Issues With ADSP In Operation

    DMARC has been characterized as a "super-ADSP" of sorts.

    Contributors to DMARC have compiled a list of issues associated with
    ADSP, gained from operational experience, that have influenced the
    direction of DMARC:

    1.  ADSP has no support for subdomains, i.e., the ADSP record for
        example.com does not explicitly or implicitly apply to
        subdomain.example.com.  If wildcarding is not applied, then
        spammers can trivially bypass ADSP by sending from a subdomain
        with no ADSP record.

    2.  Non-existent subdomains are explicitly out of scope in ADSP.
        There is nothing in ADSP that states receivers should simply
        reject mail from NXDOMAINs regardless of ADSP policy (which of
        course allows spammers to trivially bypass ADSP by sending email
        from non-existent subdomains).

    3.  ADSP has no operational advice on when to look up the ADSP
        record.

    4.  ADSP has no support for using SPF as an auxiliary mechanism to
        DKIM.

    5.  ADSP has no support for a slow roll-out, i.e., no way to
        configure a percentage of email on which the receiver should
        apply the policy.  This is important for large-volume senders.

    6.  ADSP has no explicit support for an intermediate phase where the
        receiver quarantines (e.g., sends to the recipient's "spam"
        folder) rather than rejects the email.

    7.  The binding between the "From" header domain and DKIM is too
        tight for ADSP; they must match exactly.


We must consider that the requestor for the ADSP status change has 
also authored a DMARC "BCP:"

    Using DMARC
    http://tools.ietf.org/html/draft-crocker-dmarc-bcp-01

This draft only mentions ADSP once, and very briefly:

    10.  Interaction Issues

    Some issues come into play when DMARC is used in conjunction with one
    or more other services.

    o  Sender using both DMARC and ADSP


Ok, like what?

Lets try to get the issues straight. We are talking about dropping 
work that is already active in replace of some "super-ADSP" protocol.

Can we get it right please?


-- 
HLS

v2.23.0 | Report a Bug | By Email