On Sat, May 9, 2015 at 10:33 PM, Anne Bennett <a...@encs.concordia.ca> wrote:
> Hmm, Hector, I think you've forced me to convince myself that you're > on the right track: I think that the "registration problem" is a red > herring after all. There's no deterministic way to decide what's a > legitimate mailing list (or other re-signer), any more than there's any > way to deterministically decide what's a legitimate originator. Those > determinations are made heuristically outside DMARC. > Numerous proposals have appeared over the years to solve the Mediator problem and its ilk, all of which involve advertising in some way that two domains are related somehow. The favorite example is "A can sign B's mail", with the implication being "and you should act as if B signed it". There are several problems with an approach like this: 1) The favorite way to advertise and check this is DNS. There are several arguments about why this needs to be avoided, so doing it again always draws them out again. 2) There isn't a nice way so far to do this at other than the domain level. That means any actor inside "A" can sign mail that claims to come from "B". So if "A" is compromised, "B" is hosed. The "B"s of the world tend not to be so thrilled with this. 3) Very large operators have millions or even billions of users. For "A can sign B's mail" to work, the set "A" for those operators is potentially enormous. (I think Yahoo quoted numbers well into five figures.) The "B's of the world tend not to be thrilled with this at all either, because every domain in the set "A" is a potential exposure. How do we populate the set? Either we do it (a) heuristically, because as you said it's not deterministic; (b) via a central authority (trusted by whom, exactly?); or (c) by letting the users of "B" populate it (which is obviously, one would hope, a huge abuse vector). This "How do we populate the set?" is "the registration problem". There are some implicit "safely" and "at scale" adverbs in there too, just for flavor. So suppose you come up with a heuristic that works for you. It reliably (magically?) adds a domain to the set "A" when a user at your domain subscribes to a list operated by a mediator within that domain, and reliably (magically?) removes it the minute all such relationships with that domain are broken. You are still faced with (1) and (2) above. Moreover, the magic you have to come up with would presumably watch your incoming and outgoing mail looking for things that look like lists, and update "A" when such are observed. Now I'm a Bad Guy(tm). I want to be able to send people mail that they believe is at least endorsed by you. I send mail to a random user at your site that looks like list traffic coming from BadGuyDomain.com. Your heuristic adds that domain to "A" because you don't want to mess with that user's list experience. Voila, I am now able to phish as you. So yes, DMARC doesn't necessarily need to spell out a solution to the registration problem. But that's not the issue; the concern is whether endorsing a solution that requires a registration step, regardless of how it's accomplished, is a pragmatic thing to pursue in the first place. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
