Re: (DMARC) We've been here before, was Why mailing lists

Theodore Ts'o <> Fri, 18 April 2014 21:04 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4B2011A0468 for <>; Fri, 18 Apr 2014 14:04:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.173
X-Spam-Status: No, score=-2.173 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SwBFt2lePn5Q for <>; Fri, 18 Apr 2014 14:04:35 -0700 (PDT)
Received: from ( [IPv6:2600:3c02::f03c:91ff:fe96:be03]) by (Postfix) with ESMTP id 12D8B1A043B for <>; Fri, 18 Apr 2014 14:04:35 -0700 (PDT)
Received: from root ( by with local-esmtp (Exim 4.80) (envelope-from <>) id 1WbFxV-0005av-GH; Fri, 18 Apr 2014 21:04:29 +0000
Received: by (Postfix, from userid 15806) id D61C75801C3; Fri, 18 Apr 2014 17:04:28 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=ef5046eb; t=1397855068; bh=0VNnvvK767ayu6WriFwbeJuKrw95nGbSIcfObcPq2sk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ne/HooW8E7ENKLIxv8XjPWcoXEcPtDQ5zp5vNsVKVjqQ2bzWCoRTMndhVektvncgm tYIOgfy54+F6+U3t9ajz6q+HsHlb6WAmsgIb4Gux57wNxrVFvn1gBFGpfX7HKQF/Cu EEnkXM/t3EUkZp1zU6w0+/cl3lpel0soVt03TQfA=
Date: Fri, 18 Apr 2014 17:04:28 -0400
From: Theodore Ts'o <>
To: Brian E Carpenter <>
Subject: Re: (DMARC) We've been here before, was Why mailing lists
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Cc: Michael Richardson <>, Pete Resnick <>, "" <>, John R Levine <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Apr 2014 21:04:39 -0000

On Sat, Apr 19, 2014 at 08:47:37AM +1200, Brian E Carpenter wrote:
> So, if the From says
> From: <>
> many UAs would show only as the sender,
> but badguy could have passed DMARC, no?
> This would not exactly enhance goodguy's reputation,
> or Yahoo's for that matter. I realise it isn't the exploit
> that Yahoo is trying to stop, but it suggests to me that
> DMARC is only plugging one small hole in a very leaky dam.

Iif the problem is trying to protect goodguy or's
reputation, I wonder if a better approach would have been to have issue all of its users S/MIME certificates, and then had a
DMARC-like policy requesting recipients: "if the e-mail has the From:
field of, and it's not an S/MIME-signed e-mail with a certificate, reject the e-mail".

After all, we know S/MIME successfully passes through mailing lists,
and if in fact the message was appropriately signed using an S/MIME
cert, it would be quite natural to have the UA's display the
information from the Common Name field of the cert.

That would solve a host of problems, including the hand-wringing
around how S/MIME has lots of deployed users, but very few deployed

						- Ted