Re: [EAI] [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC)

John C Klensin <john-ietf@jck.com> Tue, 08 November 2016 03:25 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: ima@ietfa.amsl.com
Delivered-To: ima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D1F9129490; Mon, 7 Nov 2016 19:25:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Level:
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3oZaMlanucHE; Mon, 7 Nov 2016 19:25:41 -0800 (PST)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AAD1126D74; Mon, 7 Nov 2016 19:25:41 -0800 (PST)
Received: from [198.252.137.10] (helo=JcK-HP8200) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1c3x2U-000IJN-GW; Mon, 07 Nov 2016 22:25:34 -0500
Date: Mon, 07 Nov 2016 22:25:29 -0500
From: John C Klensin <john-ietf@jck.com>
To: ned+ietf@mauve.mrochek.com, Dave Crocker <dcrocker@gmail.com>
Message-ID: <B3DC791C1E1FC26F69500F06@JcK-HP8200>
In-Reply-To: <01Q71GG3KUM8011H9Q@mauve.mrochek.com>
References: <678C2FBA-A661-4556-A300-5C08562B5F8A@iii.ca> <CABa8R6vHdt75NFKW3s6xOzLcq=jmVAHDPX0tjLRdGpYSTP2cYA@mail.gmail.com> <33b100ac-c035-8b49-22e1-edbe47f41919@dcrocker.net> <CABa8R6u7WbbeXzkhkNM46RYtMSw7V9FT2m_LvKLHaFDvF3cw3A@mail.gmail.com> <CO2PR00MB0103566D260F9BFEC7166C9B96A20@CO2PR00MB0103.namprd00.pr od.outlook.com> <5FA03832-D38F-47F2-B974-7C903C7513FD@fugue.com> <CO2PR00MB01034350A8C90A1E039336F796A20@CO2PR00MB0103.namprd00.prod.outlook.com> <WM!9664810c615567bf070fc649d954183e561aaa67977ebde37433238a98da7 930f34ca08db8c430e48500f1e63f6d7622!@mailstronghold-1.zmailcloud.com> <713098835.18678872.1478547678821.JavaMail.zimbra@peachymango.org > <969d43d4-78c9-6e44-e186-ca6ed6fa3445@dcrocker.net> <01Q71GG3KUM8011H9Q@mauve.mrochek.com>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.10
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/ima/J5ahXN7-ntZJlWXDsQLF851bIaw>
Cc: ima@ietf.org, dmarc@ietf.org, IETF <ietf@ietf.org>, Terry Zink <tzink@exchange.microsoft.com>, Franck Martin <franck@peachymango.org>
Subject: Re: [EAI] [dmarc-ietf] Identification of an email author (was - Re: IETF Mailing Lists and DMARC)
X-BeenThere: ima@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "EAI \(Email Address Internationalization\)" <ima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ima>, <mailto:ima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ima/>
List-Post: <mailto:ima@ietf.org>
List-Help: <mailto:ima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ima>, <mailto:ima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 03:25:43 -0000

(adding the EAI list to the distribution -- there are people who
hang out there who need to see, and check on, this)

--On Monday, November 07, 2016 15:08 -0800
ned+ietf@mauve.mrochek.com wrote:

>> Absent that, there's the small question about how the EAI
>> group would have the authority to make such a major change to
>> such a basic email feature...
> 
> RFC 6854 can speak for itself as to the rationale for allowing
> no address.
> 
> The EAI connection was, as I recall, for use in downgrade
> formats used to
> present EAI messages to non-EAI clients via POP3 and IMAP4.

Yes.
IIR, 6854 was written the way it was in order to avoid getting
tangled up with normative dependencies on the EAI specs.
However, I find the combination of its Section 3 ("Applicability
Statement") and Security Considerations rather clear as to both
the motivation and the "don't do this if you don't need to and
especially don't originate a message with this" advice.
"Limited Use" is really very restrictive.
 
The problem (and tradeoff) are as follows:

A message gets delivered and gets as far as a mailstore with a
backward-pointing address that looks like:
  "Non ASCii Name Phrase" <non-ascii-local-part@domain-part>

Note that, if the message got that far, the delivery MTA
advertised itself as fully SMTPUTF8-complaint.

Then a POP or IMAP client comes along that does not support
non-ASCII addresses or headers.   Now, there are probably three
plausible choices for the IMAP server (other than just dying a
horrible death):

(a) Trash the message on the theory that any users who would get
themselves into that situation deserve it.  However, remember
the important case is a backward-pointing address and, in the
general case, the delivery server doesn't know what client(s)
the user is going to use (and there might be more than one).

(b) Figure out how to respond to any IMAP request that involves
that message with some flavor of "I have this message for you,
but you can't get it and I can't tell you about it until you
show up with an upgraded client".

(c) Convert "Non ASCii Name Phrase" to encoded words and then do
something unpleasant to the address, of which using group syntax
was by far the least problematic solution anyone could come up
with.  If the Return-path in the  mailstore is the same as the
address in the "From:" and/or "Sender:" header fields, it is
going to be trashed, so a competent IMAP server doing this is
going to figure out how to warn the user and the user, perhaps
after consulting support personnel the first time one of these
happens to her, is going to figure out that doing anything with
the message other than broadly getting its gist is going to
require using an upgraded client.

IIR, these issues are discussed at some length in RFCs 6855-6858.

Now, coming back to the "identification of ... author" problem
and remembering the "Limited Use" bit, if I were designing a
submission server and something reached me with a group name in
the "From:" (or "Sender:") field, I'd probably return it to
whence it came.    I'd probably do the same thing if I were a
relay or delivery server, noting that there is no equivalent to
group syntax in SMTP.   Both are entirely consistent with
Limited Use -- if one uses it in a context in which it makes no
sense or poses a security threat, one refuses to accept it.

If anyone things that needs to be said more clearly in one of
the EAI-related documents and wants to suggest language, I, and
I assume others, anxiously await an I-D.

   john