Re: [marf] Adrian Farrel's No Objection on draft-ietf-marf-as-15: (with COMMENT)
"Adrian Farrel" <adrian@olddog.co.uk> Wed, 25 April 2012 20:54 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: marf@ietfa.amsl.com
Delivered-To: marf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 002DA11E8074; Wed, 25 Apr 2012 13:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Level:
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dl3dYt+-CPzp; Wed, 25 Apr 2012 13:54:25 -0700 (PDT)
Received: from asmtp1.iomartmail.com (asmtp1.iomartmail.com [62.128.201.248]) by ietfa.amsl.com (Postfix) with ESMTP id 33CB711E8072; Wed, 25 Apr 2012 13:54:25 -0700 (PDT)
Received: from asmtp1.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp1.iomartmail.com (8.13.8/8.13.8) with ESMTP id q3PKsJvk005614; Wed, 25 Apr 2012 21:54:19 +0100
Received: from 950129200 (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp1.iomartmail.com (8.13.8/8.13.8) with ESMTP id q3PKsI70005601 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 25 Apr 2012 21:54:19 +0100
From: Adrian Farrel <adrian@olddog.co.uk>
To: "'Murray S. Kucherawy'" <msk@cloudmark.com>, 'The IESG' <iesg@ietf.org>
References: <20120425170640.27848.77721.idtracker@ietfa.amsl.com> <9452079D1A51524AA5749AD23E00392810297C@exch-mbx901.corp.cloudmark.com> <073501cd2322$71120900$53361b00$@olddog.co.uk> <9452079D1A51524AA5749AD23E003928102A1B@exch-mbx901.corp.cloudmark.com>
In-Reply-To: <9452079D1A51524AA5749AD23E003928102A1B@exch-mbx901.corp.cloudmark.com>
Date: Wed, 25 Apr 2012 21:54:17 +0100
Message-ID: <074901cd2325$94e88180$beb98480$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQL0KC9i4/IYaruXuTwYGVqhSUKftQGa1sZUAdVffz4BdFaQS5Q21W+Q
Content-Language: en-gb
X-Mailman-Approved-At: Wed, 25 Apr 2012 13:54:56 -0700
Cc: draft-ietf-marf-as@tools.ietf.org, marf-chairs@tools.ietf.org, marf@ietf.org
Subject: Re: [marf] Adrian Farrel's No Objection on draft-ietf-marf-as-15: (with COMMENT)
X-BeenThere: marf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: adrian@olddog.co.uk
List-Id: Message Abuse Report Format working group discussion list <marf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/marf>, <mailto:marf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/marf>
List-Post: <mailto:marf@ietf.org>
List-Help: <mailto:marf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/marf>, <mailto:marf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2012 20:54:26 -0000
wfm thanks for listening A > -----Original Message----- > From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf Of > Murray S. Kucherawy > Sent: 25 April 2012 21:43 > To: adrian@olddog.co.uk; 'The IESG' > Cc: draft-ietf-marf-as@tools.ietf.org; marf-chairs@tools.ietf.org; marf@ietf.org > Subject: RE: Adrian Farrel's No Objection on draft-ietf-marf-as-15: (with > COMMENT) > > > -----Original Message----- > > From: Adrian Farrel [mailto:adrian@olddog.co.uk] > > Sent: Wednesday, April 25, 2012 1:32 PM > > To: Murray S. Kucherawy; 'The IESG' > > Cc: marf-chairs@tools.ietf.org; draft-ietf-marf-as@tools.ietf.org; > > marf@ietf.org > > Subject: RE: Adrian Farrel's No Objection on draft-ietf-marf-as-15: > > (with COMMENT) > > > > Simply (to my reading - which you may ignore if you feel I am not > > reading clearly) that the thought you captured above is not clear. > > > > I read a rather despairing statement that since DKIM and SPF might not > > be working it is a toss-up whether you have reports being discarded > > because the signature fails or reports being spoofed. > > > > If this is "state of the art" for email systems then maybe there is > > nothing else to say. > > > > It struck me, however, that reports are going to be consumed by > > automatic systems. If I get an email where the signature fails, I can > > perform all sorts of human verification of the email and make a > > judgement call on the validity of the email. A software system > > processing reports is less flexible and so more exposed. > > > > Perhaps the clarity that is needed is the strong hint that "Therefore > > the use of DKIM and/or SPF is RECOMMENDED and it is important to ensure > > that the security infrastructure is working properly." > > [Cc'd to the marf list so that they can check my math here] > > I'm one of those people that's not a fan of normative language in Security > Considerations, so how's this?: > > Perhaps the simplest means of mitigating this threat is to assert > that these reports should themselves be signed with something like > DKIM and/or authorized by something like SPF. Note, however, that if > there is a problem with the email infrastructure at either end, DKIM > and/or SPF may result in reports that aren't trusted or even accepted > by their intended recipients, so it is important to make sure those > components are properly configured. Use of both technologies in > tandem can resolve this concern to agree since they generally have > disjoint failure modes. > > -MSK
- Re: [marf] Adrian Farrel's No Objection on draft-… Murray S. Kucherawy
- Re: [marf] Adrian Farrel's No Objection on draft-… Adrian Farrel
- Re: [marf] Adrian Farrel's No Objection on draft-… Murray S. Kucherawy
- Re: [marf] Adrian Farrel's No Objection on draft-… Adrian Farrel
- Re: [marf] Adrian Farrel's No Objection on draft-… Barry Leiba
- Re: [marf] Adrian Farrel's No Objection on draft-… Murray S. Kucherawy