Re: [secdir] [spfbis] SECDIR Review of draft-ietf-spfbis-4408bis-19
"Murray S. Kucherawy" <superuser@gmail.com> Wed, 11 September 2013 16:35 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C4B521E818E; Wed, 11 Sep 2013 09:35:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VA0jNJwNVgkF; Wed, 11 Sep 2013 09:35:11 -0700 (PDT)
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com [IPv6:2a00:1450:400c:c05::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 3132521E813D; Wed, 11 Sep 2013 09:35:10 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id c10so2429971wiw.11 for <multiple recipients>; Wed, 11 Sep 2013 09:35:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OFUEkfGms1yjtgV9g6CStIWaSTTg9EedrPvmm+62DuE=; b=lC9BqIACzOjHoq5zT09Z8dZ03ZRerzFXVllcP+H7mMwow3rZcW4Y2zNXQZXcXMy+Rr h84zmPDE69W5RGLMJKHRPAJCuxM/Vgvl7h3SuuvwdqhLFLzSsHuFFkmabUGCTxEKdgRP r0OWJixwg7Wtzedd2t8o1u3dZspTZOTI9S7HuX+pa95bglO5osSqly81ESOSnUbI9ATa HylXrglE8/8bw+FjOkZxHtw+EnOck6nUjI6yO9DdoDxVDL5IYxCnp/1nouvOUj4+++VY tWVSdWeu70y09HoFPFUTdtesfCoOtmWZcKQY/pUGe4YdtYHhh38bp+mFk4QbiLutRvYw HchA==
MIME-Version: 1.0
X-Received: by 10.180.211.19 with SMTP id my19mr2155121wic.19.1378917309327; Wed, 11 Sep 2013 09:35:09 -0700 (PDT)
Received: by 10.180.106.169 with HTTP; Wed, 11 Sep 2013 09:35:09 -0700 (PDT)
In-Reply-To: <CAMm+LwhtmjBXQ1ZQRhKW-2FvPG2AkW5fyRN7ihMOT9UJdPgkkQ@mail.gmail.com>
References: <CAMm+Lwg4hcnk+uPQZizeRM++tic4utQ4P4mFFeKoq=Dx=0nvJw@mail.gmail.com> <6.2.5.6.2.20130911060419.0ddb37c8@elandnews.com> <CAL0qLwZ1HXEfTzvL9KtRmLRvfsgEB4Fy5x7EMV7qjekG7oTwLA@mail.gmail.com> <CAMm+LwhtmjBXQ1ZQRhKW-2FvPG2AkW5fyRN7ihMOT9UJdPgkkQ@mail.gmail.com>
Date: Wed, 11 Sep 2013 09:35:09 -0700
Message-ID: <CAL0qLwYtmmFpU9RnJYvL-pgA5e2Styxs-fpbsYG0YJW4ZHTFMg@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c3855665aee904e61e3419"
Cc: "spfbis@ietf.org" <spfbis@ietf.org>, draft-ietf-spfbis-4408bis.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>, S Moonesamy <sm+ietf@elandsys.com>, The IESG <iesg@ietf.org>
Subject: Re: [secdir] [spfbis] SECDIR Review of draft-ietf-spfbis-4408bis-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 16:35:14 -0000
On Wed, Sep 11, 2013 at 7:33 AM, Phillip Hallam-Baker <hallam@gmail.com>wrote: > On Wed, Sep 11, 2013 at 9:43 AM, Murray S. Kucherawy <superuser@gmail.com>wrote: > >> On Wed, Sep 11, 2013 at 6:22 AM, S Moonesamy <sm+ietf@elandsys.com>wrote: >> >>> I am responding to the comment about DKIM only and wait for the SPFBIS >>> WG to address the other issues. >>> >> >> Was the SecDir review for this draft posted to the spfbis list? I >> haven't seen it. >> > > The draft-ietf-spfbis-4408bis.all@tools.ietf.org doesn't cover it? I > thought that was the point. > I'm pretty sure it's authors, shepherds, and co-chairs only, not the whole WG. > > > > >> >>> The Security Considerations section is adequate for the purpose except >>>> that no mention is made anywhere in the specification about DKIM and how a >>>> mail receiver should interpret presence of DKIM and SPF policy at the same >>>> time. This is a legitimate concern since DKIM is already a standards track >>>> proposal and SPF is only now being promoted to Standards Track. Thus the >>>> SPF document should address the question of dual use. >>>> >>> >>> There was a BoF at the last IETF meeting to discuss proposals about how >>> to interpret the presence of DKIM and/or SPF policy at the same time ( >>> http://www.ietf.org/**proceedings/87/minutes/**minutes-87-dmarc<http://www.ietf.org/proceedings/87/minutes/minutes-87-dmarc>). The dual use can be addressed as part of the DMARC effort. >>> >> >> DKIM has no intrinsic policy component. Are we actually talking about >> ADSP here? >> > > If a message has a DKIM signature and it is valid for the sending domain > then that is strong evidence that the owner of the domain intended to send > it. Hence DKIM Signature overlaps with SPF policy. > Ah, I see where you're going now. > > Regardless RFC 5617 is standards track and it is a part of DKIM and the > SPF document should probably mention it as well. > ADSP has seen so little adoption that I think it would actually be a mistake to pay it any homage here. I think your point above about DKIM proper is the more interesting one. > > > >> Assuming we are, I think the best we could do is to note that it's >> possible for ADSP and SPF to yield conflicting policy results; one could be >> a "pass" while the other could be a "fail", meaning the receiving MTA now >> has one "reject" instruction and one "accept" instruction. The receiving >> ADMD will have to make a decision about which one ought to get precedence. >> > > I suspect that the answer is that SPF will take precedence simply because > the MailFROM will be received and acted upon before the MTA has enough > information to act on DKIM information. An MTA that decides email is spam > on the basis of SPF is likely to drop the connection or tar pit it. I doubt > it is going to bother to check a DKIM signature. > Right, I had forgotten about this as well. I shouldn't reply to SecDir without being appropriately caffeinated. It's not necessarily the case that an SPF failure will be acted upon before DKIM even gets evaluated. Though that is clearly for many installations the optimal use because you don't have to deal with the body, any MTA that wants to give DKIM due consideration as well will have to store the SPF result and then decide on it later. And there are sites that do prefer it that way, not the least of which is the entire DMARC community. This draft is already worded such that one can merely observe the SPF result and record it rather than enacting it as soon as possible, possibly using it as one input to a larger equation. This use case could bolster that argument by providing an example, and could even be done without naming DKIM specifically. Of course, the downside is that the receiver has to deal with accepting the body. As long as the tradeoff is made clear (if it isn't already), we might consider adding it. -MSK
- [secdir] SECDIR Review of draft-ietf-spfbis-4408b… Phillip Hallam-Baker
- Re: [secdir] SECDIR Review of draft-ietf-spfbis-4… S Moonesamy
- Re: [secdir] [spfbis] SECDIR Review of draft-ietf… Murray S. Kucherawy
- Re: [secdir] [spfbis] SECDIR Review of draft-ietf… Phillip Hallam-Baker
- Re: [secdir] [spfbis] SECDIR Review of draft-ietf… Murray S. Kucherawy
- Re: [secdir] [spfbis] SECDIR Review of draft-ietf… Dotzero
- Re: [secdir] [spfbis] SECDIR Review of draft-ietf… Dave Crocker
- Re: [secdir] [spfbis] SECDIR Review of draft-ietf… Donald Eastlake
- Re: [secdir] SECDIR Review of draft-ietf-spfbis-4… S Moonesamy