Re: [secdir] [spfbis] SECDIR Review of draft-ietf-spfbis-4408bis-19

Phillip Hallam-Baker <hallam@gmail.com> Wed, 11 September 2013 14:33 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D469921E80C3; Wed, 11 Sep 2013 07:33:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EafxDzFuf3NQ; Wed, 11 Sep 2013 07:33:48 -0700 (PDT)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id BCA8621E812A; Wed, 11 Sep 2013 07:33:46 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id lv10so821243lab.9 for <multiple recipients>; Wed, 11 Sep 2013 07:33:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=oSxmF9jOzFdU7bl9ju6086GgfsTU/VQi8e3GGGxoB4I=; b=1CDMDGdhFQGH180Q6LdfOchU34qFsXhFlCAO3WkfeWDaJBjh6V5yRI9ryQIPI38ICe TO5HkA7jDtO4cZBsK3l+bgQFvWvCq032DMLcOL2ksF/ejJIUWA8RWM1mjmqhYV+J3wkh gQ/Fs4GYebbJiUZ1icd7VeMcE2riOUlohtmMnt8XFFRN/GykPz/U8VNrIi176xCwbV6r 14E3Zb2sAhc9JjbWq9Etk4iLuJ7dSu8oeVZJbv2BtEQbqww2I8V+X88mCI4LCJFyyzeL UeaXzm8gJkdR2xWXHvV9keeCw4MBhpf7KY3c1UD4dhjCHF9ZgMrJqFBpkxLXK0T9Ncn6 Ju5A==
MIME-Version: 1.0
X-Received: by 10.152.4.6 with SMTP id g6mr340185lag.50.1378910025535; Wed, 11 Sep 2013 07:33:45 -0700 (PDT)
Received: by 10.112.148.165 with HTTP; Wed, 11 Sep 2013 07:33:45 -0700 (PDT)
In-Reply-To: <CAL0qLwZ1HXEfTzvL9KtRmLRvfsgEB4Fy5x7EMV7qjekG7oTwLA@mail.gmail.com>
References: <CAMm+Lwg4hcnk+uPQZizeRM++tic4utQ4P4mFFeKoq=Dx=0nvJw@mail.gmail.com> <6.2.5.6.2.20130911060419.0ddb37c8@elandnews.com> <CAL0qLwZ1HXEfTzvL9KtRmLRvfsgEB4Fy5x7EMV7qjekG7oTwLA@mail.gmail.com>
Date: Wed, 11 Sep 2013 10:33:45 -0400
Message-ID: <CAMm+LwhtmjBXQ1ZQRhKW-2FvPG2AkW5fyRN7ihMOT9UJdPgkkQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Content-Type: multipart/alternative; boundary="089e013d1e603fd71604e61c82e5"
Cc: "spfbis@ietf.org" <spfbis@ietf.org>, draft-ietf-spfbis-4408bis.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>, S Moonesamy <sm+ietf@elandsys.com>, The IESG <iesg@ietf.org>
Subject: Re: [secdir] [spfbis] SECDIR Review of draft-ietf-spfbis-4408bis-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 14:33:49 -0000

On Wed, Sep 11, 2013 at 9:43 AM, Murray S. Kucherawy <superuser@gmail.com>wrote:

> On Wed, Sep 11, 2013 at 6:22 AM, S Moonesamy <sm+ietf@elandsys.com> wrote:
>
>> I am responding to the comment about DKIM only and wait for the SPFBIS WG
>> to address the other issues.
>>
>
> Was the SecDir review for this draft posted to the spfbis list?  I haven't
> seen it.
>

The draft-ietf-spfbis-4408bis.all@tools.ietf.org doesn't cover it? I
thought that was the point.




>
>>  The Security Considerations section is adequate for the purpose except
>>> that no mention is made anywhere in the specification about DKIM and how a
>>> mail receiver should interpret presence of DKIM and SPF policy at the same
>>> time. This is a legitimate concern since DKIM is already a standards track
>>> proposal and SPF is only now being promoted to Standards Track. Thus the
>>> SPF document should address the question of dual use.
>>>
>>
>> There was a BoF at the last IETF meeting to discuss proposals about how
>> to interpret the presence of DKIM and/or SPF policy at the same time (
>> http://www.ietf.org/**proceedings/87/minutes/**minutes-87-dmarc<http://www.ietf.org/proceedings/87/minutes/minutes-87-dmarc>).  The dual use can be addressed as part of the DMARC effort.
>>
>
> DKIM has no intrinsic policy component.   Are we actually talking about
> ADSP here?
>

If a message has a DKIM signature and it is valid for the sending domain
then that is strong evidence that the owner of the domain intended to send
it. Hence DKIM Signature overlaps with SPF policy.

Regardless RFC 5617 is standards track and it is a part of DKIM and the SPF
document should probably mention it as well.



> Assuming we are, I think the best we could do is to note that it's
> possible for ADSP and SPF to yield conflicting policy results; one could be
> a "pass" while the other could be a "fail", meaning the receiving MTA now
> has one "reject" instruction and one "accept" instruction.  The receiving
> ADMD will have to make a decision about which one ought to get precedence.
>

I suspect that the answer is that SPF will take precedence simply because
the MailFROM will be received and acted upon before the MTA has enough
information to act on DKIM information. An MTA that decides email is spam
on the basis of SPF is likely to drop the connection or tar pit it. I doubt
it is going to bother to check a DKIM signature.

-- 
Website: http://hallambaker.com/