Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists

Hector Santos <hsantos@isdg.net> Thu, 17 April 2014 18:28 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34B331A01C7 for <ietf@ietfa.amsl.com>; Thu, 17 Apr 2014 11:28:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.702
X-Spam-Level:
X-Spam-Status: No, score=-98.702 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_16=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5oxZZVwkUTmW for <ietf@ietfa.amsl.com>; Thu, 17 Apr 2014 11:28:34 -0700 (PDT)
Received: from ntbbs.winserver.com (pop3.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id 70D3D1A0149 for <ietf@ietf.org>; Thu, 17 Apr 2014 11:28:34 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=5692; t=1397759305; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=n+RlgPWnHtCOdRleAAqbnTSOeX4=; b=ZNT6TT8R1XCxn7T6qqnL i+ka3qqdIwRNySA1EGI6hRYLxH5MdGXuY1CDJBxGTakgqNo08XH90bcmylEjmDFj EKFJh3K4warbfzKexA/pKScSG54h49KAKcrEz9ZCdCPP+vWtOUe0CtIANuCniHn5 2fWPbV7hRWIO2aRXPYC/v+Y=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Thu, 17 Apr 2014 14:28:25 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com (opensite.winserver.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 867880159.3603.3900; Thu, 17 Apr 2014 14:28:24 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5692; t=1397759234; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=4HoxZne 9Q8UtCfMl+hmu8QJ3w/JKk8vtPOSqHImma6A=; b=o5atYLOR6HJey///5ZRmL8+ QAj93DFK9QCIdnLYYpxzdTy9WNnmw4VVaorZ8fH3vcM+UPmykAESfJ+ZUI/BhdU4 335CpK2uSbjP8sjdcOAhQOvlxsrq8Kr7LFfgJRvfu7SHH0tsEnU43tVzwimp8lFy +pQJCOmibveAUHD0jyoU=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Thu, 17 Apr 2014 14:27:14 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 887409890.9.8440; Thu, 17 Apr 2014 14:27:13 -0400
Message-ID: <53501D49.8050201@isdg.net>
Date: Thu, 17 Apr 2014 14:28:25 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: ned+ietf@mauve.mrochek.com, Douglas Otis <doug.mtview@gmail.com>
Subject: Re: DMARC from the perspective of the listadmin of a bunch of SMALL community lists
References: <53499A5E.9020805@meetinghouse.net> <5349A261.9040500@dcrocker.net> <5349AE35.2000908@meetinghouse.net> <5349BCDA.7080701@gmail.com> <01P6L9JZF5SC00004W@mauve.mrochek.com> <CAL0qLwZr=wVX6eD+yGVOaxkSy5fJbuAErTshOG+2BywUvkDfAA@mail.gmail.com> <01P6QCMYYMJ000004W@mauve.mrochek.com> <833BDCD2-1157-4914-B385-C300AF33E2D4@gmail.com> <01P6QWP7AI2G00004W@mauve.mrochek.com>
In-Reply-To: <01P6QWP7AI2G00004W@mauve.mrochek.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/z7VQyNy8oPYcw5ApfMNmu53YuEg
Cc: ietf <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 18:28:39 -0000

Ned,

I don't see this as a big technical problem.  The engineering has been 
done. For the most part, not to over simplify, this was a battle 
between two camps:

    DKIM + POLICY (1st party author domain) framework
    DKIM + TRUST (3rd party signer domain) framework

DKIM is a trust model. It was unfortunate, by design, the Policy 
Semantics were pulled.  The trust advocates "won the war" by finally 
making ADSP historic to make room for DMARC where the focus was mostly 
about Reporting.  Even with ADSP, we were collecting information but 
it lacked the reporting part, unlike early versions of the policy 
proposals. But DMARC reporting was richer.

But this DMARC did have a similar handling logic it learned from SSP, 
DSAP and ADSP. It was odd but I presume the IETF believed DMARC 
p=reject will not be used as much as they strongly believed the 
equivalent ADSP dkim=discardable policy would never be used or 
honored, and if so, in a small insignificant way.

YAHOO changed that mindset and reality. Did they ever! In my book, as 
I always knew this lost of policy focus would have to be corrected 
some day.  Yahoo has forced the issue. Policy wins.

To me, both TRUST and POLICY are needed.

POLICY is just a first level filter of the most obvious domain 
practice faults. After policy passes the test, the trust layer comes 
in. After all, for DKIM trust query to be activated, the signature 
must exist and be valid per specification.

But just with using trust, Yahoo could of used the signer domain as 
the DKIM specs wanted it to do in the first place to lookup some 
"trusted" whitelist or 3rd party service to see if the signer domain 
is a "good guy."  It could of also accepted and quarantined the 
message allowing the user to white list the signer domain.  Yahoo 
online mail UI can offer the user a "DKIM whitelist" input field. 
Yahoo can keep this to itself or it can create public ATPS records, if 
it makes sense.

DKIM also has the Agent or User Id (AUID), the i= tag in 
DKIM-signature, that can be used as some MLM signing method.  I think 
we need to explore this again.

But ultimately, the author domain policies should be honored as the 
first layer check before trust can even come into play.  That mindset 
needs to be accepted.

The hard part is going to be getting the same folks to change their 
tune about how the Author Domain fits in with DKIM specification.  The 
DKIM abstract says:

    DKIM separates the question of the identity of
    the Signer of the message from the purported author
    of the message.

Impossible. I always wanted to know which "question" that was. 
5322.From is the sole single technical requirement to be hash bound to 
the signature.  There will always be an authorization relationship.

-- 
HLS

On 4/17/2014 11:46 AM, ned+ietf@mauve.mrochek.com wrote:
>
>> On Apr 16, 2014, at 11:00 PM, ned+ietf@mauve.mrochek.com wrote:
>
>>>> On Sat, Apr 12, 2014 at 4:35 PM, <ned+ietf@mauve.mrochek.com> wrote:
>>>
>>>>> The underlying technical issue is that the two technologies DMARC is built
>>>>> on -
>>>>> DKIM and SPF - both attach additional/restrictive semantics to
>>>>> longstanding mail
>>>>> system fields. (Broadly speaking, From: for DKIM and MAIL FROM for SPF.)
>>>>>
>>>
>>>> Something's amiss here.  What new semantics does DKIM attach to From:?  As
>>>> far as I know, it only requires that the field be signed.  It doesn't
>>>> require that it be interpreted in a particular way or that it contain any
>>>> particular value.
>>>
>>> I was trying to be brief. Yes, I'm well aware that DKIM can be used in other
>>> ways. This entire discussion is within the context of DMARC here. Do you
>>> disagree that DMARC's use of DKIM and SPF assign additional semantics to header
>>> and envelope from fields respectively?
>
>> Murray is correct. DKIM does not create special From header field semantics.
>
> Actually, by requiring that the signature cover the From: field, it sort
> of does. But that's beside the point. Again, I was talking about DMARC's
> use of DKIM, not DKIM usage in general.
>
>> However, DMARC semantics are similar to those of ADSP while avoiding some
>> shortcomings.
>
> But both of them attach additional semantics to From:. (Not that they had
> a choice; as I pointed out previously, in order to acheieve the stated
> goal they have to attach the check to the identity users actually see.)
>
>> ...
>
>>>> Also: By "the IETF published a draft", are you talking about an RFC, or the
>>>> DMARC base draft?
>>>
>>> The draft, of course.
>>>
>>>> It seems extreme to lay blame on the IETF in general
>>>> merely for having an open mechanism by which to post a draft for all to see
>>>> and discuss.  A "Request For Comment", as it were.
>>>
>>> You may think it extreme. I don't. I think the IETF's politics have led to  it
>>> inching closer to moral hazard territory for a long time, and with this
>>> incident it has stepped in it.
>
>> This disruption should be shared with the provider that has already
>> enumerated 30,000 mailing-lists but made no effort to establish a means to
>> verify these sources and to safely assert specific exceptions to DMARC
>> alignment requirements. This ability is desperately needed before applying
>> DMARC reject on user accounts.  I'll be happy to modify either ATP or ATPS to
>> permit these exceptions without the need to alter mailing-list.
>
> I'm by no means sure that ATP or ATPS is the right answer, but I certainly
> agree that we need to at least try and address the situation that's been
> created.
>
> Sigh. We have a lot of work to do, don't we?
>
> 				Ned
>
>
>