IETF Logo Mail Archive

Re: Will mailing lists survive DMARC?

Douglas Otis <doug.mtview@gmail.com> Tue, 29 April 2014 22:00 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C32A1A09CA for <ietf@ietfa.amsl.com>; Tue, 29 Apr 2014 15:00:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_16=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DJ8ESXue0X6l for <ietf@ietfa.amsl.com>; Tue, 29 Apr 2014 15:00:16 -0700 (PDT)
Received: from mail-pd0-x22f.google.com (mail-pd0-x22f.google.com [IPv6:2607:f8b0:400e:c02::22f]) by ietfa.amsl.com (Postfix) with ESMTP id F29031A09DB for <ietf@ietf.org>; Tue, 29 Apr 2014 15:00:15 -0700 (PDT)
Received: by mail-pd0-f175.google.com with SMTP id fp1so755317pdb.34 for <ietf@ietf.org>; Tue, 29 Apr 2014 15:00:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=DZdT947uplZSEluDPmvqajKMti5IY3bTWkwvv8DGuA0=; b=M/ol3201v1TxImPadm3UuKAClDjosYsxp2F6fbOi2KnZy38jw92OAVe9om6dSs8HNb ZWmoV4wVGx86FH17fwuYzZ3fWMoFr3lqt5cW5GWe13FeH+HDWj/kD3PQEnxYhcawTEU9 7LY2Cu6ZOJ7PSbGQra5kdZiTWANQhXFSKFvxKX/UJnzoF2fX7XUDb+kVgG2jjtG8qazE eMgVhr+AeoXiJUtzdP0da1QXd7J0OkhBW383F1rM74NUwq0HmNKsFsCATuBd5Vu9TprM YUUjFLISV6ke5/fxHdgoKTTfWb+w7pD/dcPqtyeZkWi1t7oVMWSsDuKePDQty2RYr5eB GUEg==
X-Received: by 10.66.164.5 with SMTP id ym5mr1001229pab.50.1398808814666; Tue, 29 Apr 2014 15:00:14 -0700 (PDT)
Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id ck10sm88651504pac.0.2014.04.29.15.00.12 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 29 Apr 2014 15:00:13 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_7405A57C-4389-4A85-B818-7FE566476BED"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: Will mailing lists survive DMARC?
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <20140429175606.2856.qmail@joyce.lan>
Date: Tue, 29 Apr 2014 15:00:12 -0700
Message-Id: <0A46725A-D80C-4F64-BACE-B2C73A04782D@gmail.com>
References: <20140429175606.2856.qmail@joyce.lan>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/XJh0Z_sOoPRU8IxK22nqUBI79ts
Cc: ietf@ietf.org, paf@frobbit.se
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 22:00:17 -0000

On Apr 29, 2014, at 10:56 AM, John Levine <johnl@taugh.com> wrote:

> What changed is that two of the largest consumer mail providers had
> huge security breaches where crooks stole user info including their
> address books (both admit it, no conspiracizing needed) and used DMARC
> as a sledgehammer to try and mitigate the damage.  I don't think
> anyone is opposed to mitigating damage, but these particular efforts
> had the predictable side effect of dumping costs on unrelated third
> parties which AOL and Yahoo have so far done nothing to address.
> Yahoo's blog admits that they are affecting 30,000 other providers, so
> they know this is not a trivial problem.

Dear John,

From our experience, similar security problems affect social websites due to poor browser plugin vetting or poor cookie management.  Being highly balkanized, no equivalent DMARC policy will likely impact social websites since damage to privacy or security seldom become public.

No cryptographic mailing-list token or a list of trustworthy mailing-lists by outside vendors can remedy this problem due to liability risks.  Companies that deployed p=reject against user accounts neglected serious security issues for years.  In many cases, their services are on behalf of other ISPs.  Fortunately, gmail.com has not asserted p=reject.

Redirecting responsibility by using DKIM or SPF is at the crux and the basis for DMARC.  Neither of these schemes authenticate the domain introducing the message and ignore intended recipients. This indirection has become endemic and makes it difficult to scale for IPv6 or to permit valid third-party services.

One viable method agnostic to verification schemes is http://tools.ietf.org/html/draft-otis-dkim-tpa-label-06 (TPA).  Yahoo and AOL can compile their needed TPA exceptions.  This scheme should scale better than other extensions in use, especially DKIM or SPF.  

There will be an effort made to better generalize the TPA expired draft.   http://tools.ietf.org/html/rfc6541 (ATPS) was hostile to existing mailing-list services and, as such, could not be deployed.  Nor was it more suitable for high volume email services.  An effort to change From header fields will have users guessing which field indicates who authored the message and in the end will provide no benefit.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email