Re: [EAI] [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC)
John C Klensin <john-ietf@jck.com> Tue, 08 November 2016 03:25 UTC
Return-Path: <john-ietf@jck.com>
X-Original-To: ima@ietfa.amsl.com
Delivered-To: ima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D1F9129490; Mon, 7 Nov 2016 19:25:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Level:
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oZaMlanucHE; Mon, 7 Nov 2016 19:25:41 -0800 (PST)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AAD1126D74; Mon, 7 Nov 2016 19:25:41 -0800 (PST)
Received: from [198.252.137.10] (helo=JcK-HP8200) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1c3x2U-000IJN-GW; Mon, 07 Nov 2016 22:25:34 -0500
Date: Mon, 07 Nov 2016 22:25:29 -0500
From: John C Klensin <john-ietf@jck.com>
To: ned+ietf@mauve.mrochek.com, Dave Crocker <dcrocker@gmail.com>
Message-ID: <B3DC791C1E1FC26F69500F06@JcK-HP8200>
In-Reply-To: <01Q71GG3KUM8011H9Q@mauve.mrochek.com>
References: <678C2FBA-A661-4556-A300-5C08562B5F8A@iii.ca> <CABa8R6vHdt75NFKW3s6xOzLcq=jmVAHDPX0tjLRdGpYSTP2cYA@mail.gmail.com> <33b100ac-c035-8b49-22e1-edbe47f41919@dcrocker.net> <CABa8R6u7WbbeXzkhkNM46RYtMSw7V9FT2m_LvKLHaFDvF3cw3A@mail.gmail.com> <CO2PR00MB0103566D260F9BFEC7166C9B96A20@CO2PR00MB0103.namprd00.pr od.outlook.com> <5FA03832-D38F-47F2-B974-7C903C7513FD@fugue.com> <CO2PR00MB01034350A8C90A1E039336F796A20@CO2PR00MB0103.namprd00.prod.outlook.com> <WM!9664810c615567bf070fc649d954183e561aaa67977ebde37433238a98da7 930f34ca08db8c430e48500f1e63f6d7622!@mailstronghold-1.zmailcloud.com> <713098835.18678872.1478547678821.JavaMail.zimbra@peachymango.org > <969d43d4-78c9-6e44-e186-ca6ed6fa3445@dcrocker.net> <01Q71GG3KUM8011H9Q@mauve.mrochek.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/ima/J5ahXN7-ntZJlWXDsQLF851bIaw>
Cc: ima@ietf.org, dmarc@ietf.org, IETF <ietf@ietf.org>, Terry Zink <tzink@exchange.microsoft.com>, Franck Martin <franck@peachymango.org>
Subject: Re: [EAI] [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC)
X-BeenThere: ima@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "EAI \(Email Address Internationalization\)" <ima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ima>, <mailto:ima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ima/>
List-Post: <mailto:ima@ietf.org>
List-Help: <mailto:ima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ima>, <mailto:ima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 03:25:43 -0000
(adding the EAI list to the distribution -- there are people who hang out there who need to see, and check on, this) --On Monday, November 07, 2016 15:08 -0800 ned+ietf@mauve.mrochek.com wrote: >> Absent that, there's the small question about how the EAI >> group would have the authority to make such a major change to >> such a basic email feature... > > RFC 6854 can speak for itself as to the rationale for allowing > no address. > > The EAI connection was, as I recall, for use in downgrade > formats used to > present EAI messages to non-EAI clients via POP3 and IMAP4. Yes. IIR, 6854 was written the way it was in order to avoid getting tangled up with normative dependencies on the EAI specs. However, I find the combination of its Section 3 ("Applicability Statement") and Security Considerations rather clear as to both the motivation and the "don't do this if you don't need to and especially don't originate a message with this" advice. "Limited Use" is really very restrictive. The problem (and tradeoff) are as follows: A message gets delivered and gets as far as a mailstore with a backward-pointing address that looks like: "Non ASCii Name Phrase" <non-ascii-local-part@domain-part> Note that, if the message got that far, the delivery MTA advertised itself as fully SMTPUTF8-complaint. Then a POP or IMAP client comes along that does not support non-ASCII addresses or headers. Now, there are probably three plausible choices for the IMAP server (other than just dying a horrible death): (a) Trash the message on the theory that any users who would get themselves into that situation deserve it. However, remember the important case is a backward-pointing address and, in the general case, the delivery server doesn't know what client(s) the user is going to use (and there might be more than one). (b) Figure out how to respond to any IMAP request that involves that message with some flavor of "I have this message for you, but you can't get it and I can't tell you about it until you show up with an upgraded client". (c) Convert "Non ASCii Name Phrase" to encoded words and then do something unpleasant to the address, of which using group syntax was by far the least problematic solution anyone could come up with. If the Return-path in the mailstore is the same as the address in the "From:" and/or "Sender:" header fields, it is going to be trashed, so a competent IMAP server doing this is going to figure out how to warn the user and the user, perhaps after consulting support personnel the first time one of these happens to her, is going to figure out that doing anything with the message other than broadly getting its gist is going to require using an upgraded client. IIR, these issues are discussed at some length in RFCs 6855-6858. Now, coming back to the "identification of ... author" problem and remembering the "Limited Use" bit, if I were designing a submission server and something reached me with a group name in the "From:" (or "Sender:") field, I'd probably return it to whence it came. I'd probably do the same thing if I were a relay or delivery server, noting that there is no equivalent to group syntax in SMTP. Both are entirely consistent with Limited Use -- if one uses it in a context in which it makes no sense or poses a security threat, one refuses to accept it. If anyone things that needs to be said more clearly in one of the EAI-related documents and wants to suggest language, I, and I assume others, anxiously await an I-D. john
- Re: [EAI] [dmarc-ietf] Identification of an email… John C Klensin
- Re: [EAI] [dmarc-ietf] Identification of an email… Brandon Long