IETF Logo Mail Archive

Re: WG Review: Domain-based Message Authentication, Reporting & Conformance (dmarc)

Douglas Otis <doug.mtview@gmail.com> Sun, 20 July 2014 04:27 UTC

Return-Path: <doug.mtview@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED63F1A08EC; Sat, 19 Jul 2014 21:27:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0_ZZGTYyQKC5; Sat, 19 Jul 2014 21:27:54 -0700 (PDT)
Received: from mail-pa0-x22e.google.com (mail-pa0-x22e.google.com [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14C9E1A03AF; Sat, 19 Jul 2014 21:27:54 -0700 (PDT)
Received: by mail-pa0-f46.google.com with SMTP id lj1so7767868pab.33 for <multiple recipients>; Sat, 19 Jul 2014 21:27:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=RVQbAPDlcLIYStdYQRofygZmwonepkBeWl2FNOYAuCw=; b=0nOC89mHYEwGBuSz/rbUjXB3q+SZWgJj6O9oKtvNmWmthtzhicWCyjkxzaVXdD+bd7 1MN//R9qtWYQxEZpZZ9j529B/p84RYq7zEcBFke9GfGTSlLVa7iLAPrMh60T9eyPHvv6 dIO5bybr6Oiis+stQvp92ty+UWmrPCnSVgOyz1uHCoAjxhhynKf4E8L01BZuGtIKV5l7 1iS83nlEgXs5KHUJzZeNFNVsoY3gToDPTnScw6EVqKKZWn6L20zZkB5EYLvrTZjrDQS2 XqibrKPxVjNttSgpADYm/34NEcJX7EY0Rp2Qbb/zLnzOu7UVwyogFKoVsL5S4OcNr2Em dICw==
X-Received: by 10.66.159.34 with SMTP id wz2mr1017377pab.96.1405830473751; Sat, 19 Jul 2014 21:27:53 -0700 (PDT)
Received: from [192.168.2.238] (c-67-188-1-12.hsd1.ca.comcast.net. [67.188.1.12]) by mx.google.com with ESMTPSA id by7sm41674500pab.35.2014.07.19.21.27.51 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Jul 2014 21:27:52 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_4F596B2A-F013-4447-93C4-F651D9A79E68"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Subject: Re: WG Review: Domain-based Message Authentication, Reporting & Conformance (dmarc)
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <ED20B4BE-74DD-4D0C-9023-284BA4311700@isdg.net>
Date: Sat, 19 Jul 2014 21:27:49 -0700
Message-Id: <09B2758F-2480-4BAD-B492-DEB69A429F22@gmail.com>
References: <20140714164212.22974.20340.idtracker@ietfa.amsl.com> <53C42DB3.5060801@gmail.com> <ED20B4BE-74DD-4D0C-9023-284BA4311700@isdg.net>
To: Hector Santos <hsantos@isdg.net>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/sX8wgC720RyvEKAHdFo0ve4KWZ8
Cc: Dave Crocker <dcrocker@gmail.com>, Pete Resnick <presnick@qti.qualcomm.com>, dmarc WG <dmarc@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2014 04:27:57 -0000

Dear Hector,

See comments inline:

On Jul 16, 2014, at 9:51 AM, Hector Santos <hsantos@isdg.net> wrote
>>>   References
>>>   ----------
>>> 
>>>   DMARC - http://dmarc.org
>>>   SPF - RFC7208
>>>   DKIM - RFC6376
>>>   Internet Message Format - RFC5322
>>>   OAR / Original Authentication Results -
>>>      draft-kucherawy-original-authres
>>>   Using DMARC -  draft-crocker-dmarc-bcp-03
>> 
>> This is missing two citations that I thought were supposed to be
>> included, since they touch on indirect email flows:
>> 
>>   Delegating DKIM Signing Authority - draft-kucherawy-dkim-delegate-00
>>   DKIM Third-Party Authorization Label - draft-otis-dkim-tpa-label-03
> 
> Why not ATPS RFC6541 production?
> http://tools.ietf.org/html/rfc6541
> 
> Consider ATPS the "lite version" of Doug's TPA. The same lookup hashing algorithm is used in both.  Further, there is real high quality commercial "running code" implementations supporting rfc6541.  All of our installations have DKIM+ADSP+ATPS out of the box with their primary domain used for automated first time setup plug and play readiness.

ATPS is not the "lite version" of TPA-Label.  This is explained in 
http://tools.ietf.org/id/draft-otis-tpa-label-04.html#rfc.appendix.C

ATPS requires DKIM signatures used by Third-Party Services to somehow determine different label encoding methods permitted by ATPS.  ATPS also lacks any discovery or exchange method for this. In contrast, TPA-Label makes NO demands on third-Party services.  None.  Since there is only one encoding method, there is NO guesswork discovering the listing encoding method. 

The extra processing is only done when DMARC indicates non-complaince where the DMARC domain can then indicate whether they have informally federated the domain in question and what if any additional information must be included in the message.  In comparison, processing a new DKIM-ike signature involves greater overhead than that needed to obtain a TPA-Label resource which happens only after the domain in question has been validated.  It seems TPA-Label represents far easier deployment and far less overhead since the Third-Party makes no change to their process and only a single, small, cacheable TPA-Label resource is provided by the DMARC domain.

While the DMARC domain can delegate the domain offering the TPA-Labels, a single server is more than able to handle what would be needed to satisfy the largest email provider, although two should be deployed for redundancy.  If a domain is being abusive, a TPA-Label can even offer a cacheable negative federation response.  TPA-Label is also able to selectively enable specific uses of Sender header fields or specific use of List-IDs.  When there is a problem with a third-party domain that ignores DMARC, the TPA-Label can also require use of OAR headers.  Unlike ATPS, TPA-Label is far easier and is capable of enabling all valid email without causing disruption.

Regards,
Douglas Otis 

 






> --
> Hector Santos
> http://www.santronics.com

v2.23.0 | Report a Bug | By Email