IETF Logo Mail Archive

Re: DMARC and ietf.org

Hector Santos <hsantos@isdg.net> Tue, 22 July 2014 12:44 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1696D1A0AFD for <ietf@ietfa.amsl.com>; Tue, 22 Jul 2014 05:44:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.138
X-Spam-Level:
X-Spam-Status: No, score=-101.138 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvj5N579pU5n for <ietf@ietfa.amsl.com>; Tue, 22 Jul 2014 05:44:55 -0700 (PDT)
Received: from mail.santronics.com (ftp.catinthebox.net [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id EE4F71A854D for <ietf@ietf.org>; Tue, 22 Jul 2014 05:44:46 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=3164; t=1406033084; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=63Nj6N2JPNSUMHbV0p9dUOvRo9o=; b=VOCnAaNn0xP9zHHy0BwA QVaBv47hYZFwpqxYelsvHRQNyyUK4CzHr/lw4N6Uv9GzCbjmiYy7zEpdFSJoLVnH Ng4s1LOTd5acsvhTwq70+lgYA4kfME455ZdQytddzwExPdbXzXIZ5WjWIwvbyJaP xdygLsbKSreTcsLtumC6AYI=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Tue, 22 Jul 2014 08:44:44 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from opensite.winserver.com (beta.winserver.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 1218198424.1247.4172; Tue, 22 Jul 2014 08:44:43 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=3164; t=1406032839; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=/KkpjjV 2c6y+28QW0PuiPvLzhlMULbKOrpqoMEY/dSw=; b=knkszemv/fCNxJQ2chTIcPQ /NpT/eC44L37lYM3q0/zEAXFQR2y2Th+Ga47NPNeibIIFvLJ5Lcor1+6iha/d4y0 OOHPedV+QEX9FObozQZnl4p4xLMgKYckI3KZCpFSanXWGTVbGNL4o/69uDSvc27H mUh+2ZOiPzgsb9TFeyFc=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Tue, 22 Jul 2014 08:40:39 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 1234518907.9.7480; Tue, 22 Jul 2014 08:40:38 -0400
Message-ID: <53CE5CB7.6080400@isdg.net>
Date: Tue, 22 Jul 2014 08:44:39 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: DMARC and ietf.org
References: <20140721025132.3111.qmail@joyce.lan> <53CD6585.3090406@isdg.net> <CE39F90A45FF0C49A1EA229FC9899B0507DEDE09@USCLES544.agna.amgreetings.com> <53CD76D3.2080506@isdg.net> <CE39F90A45FF0C49A1EA229FC9899B0507DEE030@USCLES544.agna.amgreetings.com>
In-Reply-To: <CE39F90A45FF0C49A1EA229FC9899B0507DEE030@USCLES544.agna.amgreetings.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/Gp-Lnbb6D8ZYuvLMkAbE2ZRGdEU
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jul 2014 12:44:57 -0000

On 7/21/2014 4:40 PM, MH Michael Hammer (5304) wrote:
>
>> Mike,
>>
>> There is no "pretending" here. We actually IMPLEMENTED and DEPLOYED the
>> consensus built MAILING LIST recommendations and it works.
>>
>
> The fact that you implemented and deployed does not mean that there is a general consensus in the IETF sense.
>

In the IETF sense, there was many IETF consensus built document. Thats 
exactly my point. You are referring to adoption. The claim was there 
was no "consensus at all" in dealing with the problem is not true. 
Guidelines were produced. The reasons for not lacking multiple vendor 
support is a different issue best to lay rest as long as the IETF 
mistakes are recognized and finally finish this "job."

>> So I disagree 100% with the erroneous suggestion there has been "no
>> consensus at all."  To suggest there is no guidelines whatsoever has been the
>> real disservice being promoted.  Its not true.
>>
>
> Guidleines != consensus.

Consensus does not necessarily translate to support and adoption. Agree.
But consensus does leads to production of (RFC, STD) guidelines in the 
IETF.

> The devil is always in the details. ADSP!=DMARC.

Of course, but the entire policy framework with I-D and RFCs (SSP, 
DSAP, ADSP, ASL, ATPS, TPA, DMARC) from an software engineering 
standpoint are all sender/author domain signing policy protocols. 
They all fall in the same plug and play "black box" principle for the 
verifier "Checking Signing Practices" (CSP) module. This was all 
outlined and extracted from the IETF consensus-built documents:

    RFC4686  Analysis of Threats Motivating DKIM
    RFC5016  Requirements for a DKIM Signing Practices Protocol
    RFC5585  DKIM Service Overview

In particular,  see the RFC5685 architectural illustration with the 
CSP module in the middle of all this. See the RFC4686 illustration 
with the SSP and SIGNER EVALUATION modules.

My main point, love them or not, these and other DKIM-related 
documents were all consensus IETF built RFC guidelines for an 
integrated mail framework and list servers are part of the framework.

There were many integrated areas that were not consistent.  What 
created the core conflict we have today was predicted with the last 
minute provision added in RFC5016 section 5.3 item 10:

    10. SSP MUST NOT provide a mechanism that impugns the existence of
        non-first party signatures in a message.  A corollary of this
        requirement is that the protocol MUST NOT link practices of first
        party signers with the practices of third party signers.

IMO, it disallowed us from finishing the job. Its hard to do software 
with this logic. I believe the intent was this:

    if two or more signatures exist and one is a 3rd party, ignore the
    1st party.

It allowed the list operation to disregard all new security protection 
mechanisms and passed the buck to the receivers when all they have to 
do is three basic things:

    1) Deny Restrictive Domains from Subscribing
    2) Deny Restrictive Domains from List Submission
    3) Pottery Principle "You break it, you own it" - Resign mail

I agree, there was limited adoption.


-- 
HLS

v2.23.0 | Report a Bug | By Email