Re: DMARC and ietf.org

[Alessandro Vesely <vesely@tana.it>]

On Fri 22/Jul/2016 08:55:41 +0200 Dave Crocker wrote:
>>>>> The most straightforward way to accomplish this would be to
>>>>> make copies of the original fields with different names, but
>>>>> of course many other approaches  are possible.
>>>>
>>>> I do not see MailMan settings to make that happen.  Maybe I missed
>>>> something...
>>>>
>>> That's most unfortunate, and I have to say moves my position from
>>> neutral to "don't do it".
>>>
>>> Reversible damage is one thing, irreversible damage another.
>>
>> That's the dilemma. An agent that obeys p=reject does irreversible
>> damage too. I can figure out how to live with p=reject being treated
>> as p=quarantine, but not with "reject means reject".
>
> There are different levels of issue here.  The one that Ned is raising is
> something that we might be able to affect.
>
> The changes made by mailing list software were done in haste and without
> community deliberation, in response to a sudden escalation.  The efforts were
> well-intentioned, but haven't been vetted.
>
> Since the changes are going to be with us for quite awhile (and maybe
> permanently) we ought to formulate a recommendation, up to the level of making
> it a BCP (or even PS...)
>
> Reversibility of the changes to the message is a requirement I hadn't heard
> before, but it makes complete sense.  My own complaint is about messing with
> the usability of the From field by the recipient.

So, in principle, it would be a decent solution to mitigate as follows:

1) MLM alters From: but copies it to, say, MLM-Original-From:,

2) MX receives a duly signed and aligned From:, and accepts the message,

3) a mitigation-aware filter, possibly using sieve or procmail or whatever, 
detects and reverses the damage introduced in (1), and

4) recipients are happy.

Let me stress that the legitimacy of (3) hinges on recipients setting up the 
damage-fixer themselves, in person.  Specifically, they should allow undoing 
alterations by MLMs they recognize, and only if their signature verifies. 
Otherwise, any attacker can add a spurious MLM-Original-From:.

> I suggest initiating a small effort to formulate a suggested 'standard'
> behavior by mediators (eg, mailing lists) that modify the rfc5322.From field,
> in response to DMARC issues.
>
> The effort should include some usability folks, since this is visible to
> recipients and the design of the details should attend to... well, you know,
> utility and ease of use.

IMHO Ned's proposal is better than conditional signatures as it can be 
modulated per recipient and per list.  However, it requires double effort by 
concerned users, who have to set up the damage-fixer everytime they subscribe 
to a list.  That operation cannot be automated, because neither recipient's MX 
nor client are aware of subscriptions.  There are various ways to overcome the 
latter issue, which can be included in the above suggested effort.


Ale
-- 
http://fixforwarding.org/