IETF Logo Mail Archive

Re: [marf] Adrian Farrel's No Objection on draft-ietf-marf-as-15: (with COMMENT)

"Adrian Farrel" <adrian@olddog.co.uk> Wed, 25 April 2012 20:54 UTC

Return-Path: <adrian@olddog.co.uk>
X-Original-To: marf@ietfa.amsl.com
Delivered-To: marf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 002DA11E8074; Wed, 25 Apr 2012 13:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Level:
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dl3dYt+-CPzp; Wed, 25 Apr 2012 13:54:25 -0700 (PDT)
Received: from asmtp1.iomartmail.com (asmtp1.iomartmail.com [62.128.201.248]) by ietfa.amsl.com (Postfix) with ESMTP id 33CB711E8072; Wed, 25 Apr 2012 13:54:25 -0700 (PDT)
Received: from asmtp1.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp1.iomartmail.com (8.13.8/8.13.8) with ESMTP id q3PKsJvk005614; Wed, 25 Apr 2012 21:54:19 +0100
Received: from 950129200 (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp1.iomartmail.com (8.13.8/8.13.8) with ESMTP id q3PKsI70005601 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 25 Apr 2012 21:54:19 +0100
From: Adrian Farrel <adrian@olddog.co.uk>
To: "'Murray S. Kucherawy'" <msk@cloudmark.com>, 'The IESG' <iesg@ietf.org>
References: <20120425170640.27848.77721.idtracker@ietfa.amsl.com> <9452079D1A51524AA5749AD23E00392810297C@exch-mbx901.corp.cloudmark.com> <073501cd2322$71120900$53361b00$@olddog.co.uk> <9452079D1A51524AA5749AD23E003928102A1B@exch-mbx901.corp.cloudmark.com>
In-Reply-To: <9452079D1A51524AA5749AD23E003928102A1B@exch-mbx901.corp.cloudmark.com>
Date: Wed, 25 Apr 2012 21:54:17 +0100
Message-ID: <074901cd2325$94e88180$beb98480$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQL0KC9i4/IYaruXuTwYGVqhSUKftQGa1sZUAdVffz4BdFaQS5Q21W+Q
Content-Language: en-gb
X-Mailman-Approved-At: Wed, 25 Apr 2012 13:54:56 -0700
Cc: draft-ietf-marf-as@tools.ietf.org, marf-chairs@tools.ietf.org, marf@ietf.org
Subject: Re: [marf] Adrian Farrel's No Objection on draft-ietf-marf-as-15: (with COMMENT)
X-BeenThere: marf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: adrian@olddog.co.uk
List-Id: Message Abuse Report Format working group discussion list <marf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/marf>, <mailto:marf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/marf>
List-Post: <mailto:marf@ietf.org>
List-Help: <mailto:marf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/marf>, <mailto:marf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2012 20:54:26 -0000

wfm
thanks for listening
A

> -----Original Message-----
> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf Of
> Murray S. Kucherawy
> Sent: 25 April 2012 21:43
> To: adrian@olddog.co.uk; 'The IESG'
> Cc: draft-ietf-marf-as@tools.ietf.org; marf-chairs@tools.ietf.org; marf@ietf.org
> Subject: RE: Adrian Farrel's No Objection on draft-ietf-marf-as-15: (with
> COMMENT)
> 
> > -----Original Message-----
> > From: Adrian Farrel [mailto:adrian@olddog.co.uk]
> > Sent: Wednesday, April 25, 2012 1:32 PM
> > To: Murray S. Kucherawy; 'The IESG'
> > Cc: marf-chairs@tools.ietf.org; draft-ietf-marf-as@tools.ietf.org;
> > marf@ietf.org
> > Subject: RE: Adrian Farrel's No Objection on draft-ietf-marf-as-15:
> > (with COMMENT)
> >
> > Simply (to my reading - which you may ignore if you feel I am not
> > reading clearly) that the thought you captured above is not clear.
> >
> > I read a rather despairing statement that since DKIM and SPF might not
> > be working it is a toss-up whether you have reports being discarded
> > because the signature fails or reports being spoofed.
> >
> > If this is "state of the art" for email systems then maybe there is
> > nothing else to say.
> >
> > It struck me, however, that reports are going to be consumed by
> > automatic systems. If I get an email where the signature fails, I can
> > perform all sorts of human verification of the email and make a
> > judgement call on the validity of the email. A software system
> > processing reports is less flexible and so more exposed.
> >
> > Perhaps the clarity that is needed is the strong hint that "Therefore
> > the use of DKIM and/or SPF is RECOMMENDED and it is important to ensure
> > that the security infrastructure is working properly."
> 
> [Cc'd to the marf list so that they can check my math here]
> 
> I'm one of those people that's not a fan of normative language in Security
> Considerations, so how's this?:
> 
>    Perhaps the simplest means of mitigating this threat is to assert
>    that these reports should themselves be signed with something like
>    DKIM and/or authorized by something like SPF.  Note, however, that if
>    there is a problem with the email infrastructure at either end, DKIM
>    and/or SPF may result in reports that aren't trusted or even accepted
>    by their intended recipients, so it is important to make sure those
>    components are properly configured.  Use of both technologies in
>    tandem can resolve this concern to agree since they generally have
>    disjoint failure modes.
> 
> -MSK

v2.23.0 | Report a Bug | By Email