IETF Logo Mail Archive

Re: Will mailing lists survive DMARC?

Douglas Otis <doug.mtview@gmail.com> Wed, 30 April 2014 01:30 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EDB61A09C2 for <ietf@ietfa.amsl.com>; Tue, 29 Apr 2014 18:30:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0JX-MapDHgNc for <ietf@ietfa.amsl.com>; Tue, 29 Apr 2014 18:30:53 -0700 (PDT)
Received: from mail-pd0-x229.google.com (mail-pd0-x229.google.com [IPv6:2607:f8b0:400e:c02::229]) by ietfa.amsl.com (Postfix) with ESMTP id 87FAF1A09C3 for <ietf@ietf.org>; Tue, 29 Apr 2014 18:30:53 -0700 (PDT)
Received: by mail-pd0-f169.google.com with SMTP id y13so974594pdi.0 for <ietf@ietf.org>; Tue, 29 Apr 2014 18:30:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=krRXzcjGRu66rqR/2nqJS8xdfgkF5hTs57ofzrOz7Pw=; b=K25KPpSPeVjDjFvXEEJWMyNhxmOTC4zP5uUs68B4KCwoQLlbJEUFdFgKPefSNsWSfh rqVKysA4PbCyB8gop8qOpLaUrFmWjWSrtQBhEOEOfk+sIH9RA2fSu3AeUn/1Zwc0BYF4 078KGNlUv4i2afpAvf3qJWAxkR9iYLA32huN2tn9iIB60W3H9m15Yrx5fR+Cd6KJz1bt q98pe5DSI92PWT7ami41Ejey8UevKJwGGWE0wxOrlGVkzQhMdcA6ZufTTGfzJO9t2+UZ rZXt41ahhpkKeLrsE89bLAha9A4uyHoU1MhFJyY3HBERk2YsDBaIQbiR6DU9bT0X4faG XekA==
X-Received: by 10.66.140.104 with SMTP id rf8mr2375708pab.107.1398821452267; Tue, 29 Apr 2014 18:30:52 -0700 (PDT)
Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id lr3sm122769519pab.4.2014.04.29.18.30.50 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 29 Apr 2014 18:30:51 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_0BC75631-D52A-4D5A-86DE-1C9F98C9EEFB"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: Will mailing lists survive DMARC?
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <CAL0qLwaNcFHq0bpZaN3FUibo+EK1cRggRqZrtgJbEOKQSG+Evg@mail.gmail.com>
Date: Tue, 29 Apr 2014 18:30:54 -0700
Message-Id: <400EB7EB-EE07-4526-8E76-904AF561CA00@gmail.com>
References: <20140429175606.2856.qmail@joyce.lan> <0A46725A-D80C-4F64-BACE-B2C73A04782D@gmail.com> <CAL0qLwaNcFHq0bpZaN3FUibo+EK1cRggRqZrtgJbEOKQSG+Evg@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/hn2PvEV6hmbZU1LwFPJO9S9ALbw
Cc: John Levine <johnl@taugh.com>, ietf <ietf@ietf.org>, Patrik Fältström <paf@frobbit.se>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 01:30:56 -0000

On Apr 29, 2014, at 4:54 PM, Murray S. Kucherawy <superuser@gmail.com> wrote:

> On Tue, Apr 29, 2014 at 3:00 PM, Douglas Otis <doug.mtview@gmail.com> wrote:
> There will be an effort made to better generalize the TPA expired draft.   http://tools.ietf.org/html/rfc6541 (ATPS) was hostile to existing mailing-list services and, as such, could not be deployed.  Nor was it more suitable for high volume email services.  An effort to change From header fields will have users guessing which field indicates who authored the message and in the end will provide no benefit.
> 
> ATPS was deployed as part of an open source package since before it was published.  It has seen negligible use, and I suspect that's because there has not to date been any demand for third-party signing mechanisms of any kind.  In particular, nobody has said anything even a little bit like "I would use ATPS if only it were changed in the following way(s): ...", including (and especilaly) the large messaging providers that use that open source package.
> 
> To me, this may lend credence to John Levine's claim that the list signing the message is as good or better than the author signing the message.
> 
> In any case, ATPS, TPA, and its variants all run up against a whitelisting scaling problem.  I think that's the more interesting thing to discuss.

Dear Murray,

Two significant changes from TPA occurred during the development of ATPS that made its use impossible. 

1) Unique DKIM signatures became necessary to enable third-party services.  (IESG requirement as I understand.)
  
This special signature requirement expects all services to change before ATPS becomes usable. (Impossible impediment deliberately imposed.)

2) Optional labeling scheme requiring domain unique references. (Requiring a reference to determine label encoding???)
  
Variable labeling makes scaling or exchanging data time consuming and difficult.

TPA offered a functional scheme without any third-party services first changing.  These third-party services could sign using DKIM, authorize outbound MTA using SPF, depend on EHLO validation, or whatever validation condoned by the Author Domain.   TPA even add a required List-ID alignment to further constrain authorizations for mailing-lists or specific Senders to selectively enable other types of third-party services.  TPA did not even require DKIM (nor does DMARC for that matter).

I agree with you and John about list management, but those seeking to defend their Author domain must be able to decide which exceptions are permitted as a means to foreclose on abuse.  

TPA scales better than restful JSON or other technologies or protocols currently available.  The author domain would publish concise static information that only changes in response to reports of abuse.  This approach was used to report on thousands of MTAs for very large ESPs where their recipients added a unique label to the query since this was to establish a paid service to fund largely legal expenses.  Once a too big to ignore domain using DMARC, ADSP, or yet to be determined restrictive policy implements TPA (which uses consistent labeling), other domains being similarly managed could share the same _tpa subdomain.  The scaling issue that you describe would involve mostly static resources based on feedback monitoring to allow exceptions after confirming management of third-party services. 

TPA does not shift the senders problems on to recipients as DMARC does when applied against user accounts. TPA does not demand third-party services make changes in their process as did ATPS. 

Stop being concerned about scale.  Much much more than 30,000 third-party services can be trivially supported using the TPA single query scheme.       

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email