Re: [secdir] SecDir review of draft-ietf-dmarc-interoperability

Kurt Andersen <kandersen@linkedin.com> Wed, 15 June 2016 18:59 UTC

Return-Path: <kandersen@linkedin.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75BD12D881 for <secdir@ietfa.amsl.com>; Wed, 15 Jun 2016 11:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.747
X-Spam-Level:
X-Spam-Status: No, score=-5.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=linkedin.com header.b=cYSyJaao; dkim=pass (1024-bit key) header.d=linkedin.com header.b=DWyywjXM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29m71dbpYrw8 for <secdir@ietfa.amsl.com>; Wed, 15 Jun 2016 11:59:33 -0700 (PDT)
Received: from mail522.linkedin.com (mail522.linkedin.com [108.174.6.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 085D312D65F for <secdir@ietf.org>; Wed, 15 Jun 2016 11:59:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkedin.com; s=proddkim1024; t=1466017171; bh=OlFoiZebGgtlI3KaNRT56dI2kMTQKv+G5B9ClV13x9I=; h=MIME-Version:Date:Subject:From:To:Content-Type; b=cYSyJaaomnqpQDpZcgLyKUSwlC9VCTQHCFxDgeK5Q8GUUGn7hSnOTgqaZYXROjV1X 4FY7dEaX8Co3+y/EHNq6v8eGOMBtZ5pEcQGC+w6UPI8j6/kbw3TbYrvXZoydZNnYJi 43f/swutMaJDzfgiXTSgnZEv+CwxQ2x0nLef3D9w=
Authentication-Results: mail522.prod.linkedin.com x-tls.subject="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com"; auth=pass (cipher=ECDHE-RSA-AES128-GCM-SHA256)
Authentication-Results: mail522.prod.linkedin.com; iprev=pass policy.iprev="2607:f8b0:4001:c06::247"; spf=softfail smtp.mailfrom="kandersen@linkedin.com" smtp.helo="mail-io0-x247.google.com"; dkim=pass header.d=linkedin.com; tls=pass (verified) key.ciphersuite="TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" key.length="128" tls.v="tlsv1.2" cert.client="C=US,ST=California,L=Mountain View,O=Google Inc,CN=smtp.gmail.com" cert.clientissuer="C=US,O=Google Inc,CN=Google Internet Authority G2"
Received: from [2607:f8b0:4001:c06::247] ([2607:f8b0:4001:c06::247.32998] helo=mail-io0-x247.google.com) by mail522.prod.linkedin.com (envelope-from <kandersen@linkedin.com>) (ecelerity 3.6.21.53563 r(Core:3.6.21.0)) with ESMTPS (cipher=ECDHE-RSA-AES128-GCM-SHA256 subject="/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com") id 26/4D-10544-395A1675; Wed, 15 Jun 2016 18:59:31 +0000
Received: by mail-io0-x247.google.com with SMTP id l5so62213758ioa.0 for <secdir@ietf.org>; Wed, 15 Jun 2016 11:59:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkedin.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=OlFoiZebGgtlI3KaNRT56dI2kMTQKv+G5B9ClV13x9I=; b=DWyywjXMKVzBK/asNFCDqy7K4I3bZn+MKyLHz4Tr1nhj13dV/VoGpa/ebbq6+XqKvM MkF+PAm2Wo8YTALLAD7zPn0YoJx92NU8k+enIKXBHM6rNLSQ5rdmQx9bbl01/4tjy2a2 5qJmf2p8NWMckkVULovq3heGrcxmU2nN0uyHg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=OlFoiZebGgtlI3KaNRT56dI2kMTQKv+G5B9ClV13x9I=; b=ca+I0jzD5rG2IDagRlXmx9VDl399bjSuiMhNG/dOhpClHilzBxnO7jVR8VMaokeEtQ DgiVsWEwy+eJE1GO9+gn7HyeAVL1Qo/rTNiqceZNR+Tl8X1M+izNp0was4eLCRHvWRTO 5pfg3TdZIY5YzI5D6iuiEGComntBumYf7UfYzTdVmhTJTavzTKk0TmW2iMK2Y8QMqicL oOWRc3io5jhzyDkiDddNHbN2xeVKId3g4LAteIZ/+yXyIcKDSPwLruDgvyH/ukfMk7IU /jzDcSO+C5KElNJZ6tb+0lJTgAv0WoqWdHKkkcD2sXx7vDFH5ZBY8hj0sqPhwdn4lzK/ Ax8A==
X-Gm-Message-State: ALyK8tILHoGhk5jdWteJcsCqUWPFjaGDOy3gPRLHyZZShnEmtXAKXNE8i4eyhVxQbc7jKjgOkiIp8HAyZn0itGPf1CL9KrnKZV4PwXiB2fQG5pgtTvii0pmpzjQZg91efaoXogoYmFhEouMHCvPnPqE59StH2g==
X-Received: by 10.107.22.130 with SMTP id 124mr1537268iow.89.1466017170492; Wed, 15 Jun 2016 11:59:30 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.107.22.130 with SMTP id 124mr1537249iow.89.1466017170281; Wed, 15 Jun 2016 11:59:30 -0700 (PDT)
Received: by 10.36.86.213 with HTTP; Wed, 15 Jun 2016 11:59:30 -0700 (PDT)
In-Reply-To: <6C363094-12B7-4AB4-8E14-DFBC69A1335A@sn3rd.com>
References: <6C363094-12B7-4AB4-8E14-DFBC69A1335A@sn3rd.com>
Date: Wed, 15 Jun 2016 14:59:30 -0400
Message-ID: <CACnuoxXmtERg5aV0DusYnavNe0rs2cL9NSP=1YJGbs6MhnSyCQ@mail.gmail.com>
From: Kurt Andersen <kandersen@linkedin.com>
To: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary=94eb2c060248ab7a19053555b879
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/5qxT5WOSSDNurwA2r3epb_KjIlg>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dmarc-interoperability.all@ietf.org, secdir@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-dmarc-interoperability
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2016 18:59:34 -0000

On Tue, Jun 14, 2016 at 4:42 PM, Sean Turner <sean@sn3rd.com> wrote:

> Summary: I think it’s ready, but just wanted to check on one thing.  The
> difference between the following sentences in s1 and s4:
>
> s1:  Note that some practices which are in use at the time of this
> document may or may not be "best practices", especially as future standards
> evolve.
>
> s4: Note that these particular mechanisms may not be considered "best
> practices" and may, in some cases, violate various conventions or
> expectations.
>
> made me wonder whether the two identified sections in the security
> considerations are the only sections that contain text that "violates
> various conventions or exceptions".  I don’t want wanting to grind the
> security axe on eMail, DKIM, SPF only on what’s changed.
>

The intent in s1 is to warn that, in general, some of the approaches have
various degrees of controversy associated with them at this time.

s4 is more oriented toward the "experimental" nature of some of the
mitigation strategies which are mentioned - without wanting to call out
particular approaches as being more or less controversial. s4 falls into
the scope of the explicit "possible mitigations" section of the document,
so we thought it important to re-iterate the caution which was initially
raised in s1.

--Kurt