On 11/3/2017 3:32 PM, Brandon Long wrote:
If you look at RFC 7960, ARC is intended mostly for the mediators
case, though it would also be for the MDA/MTA case. It does nothing
for the MSA case, though there have been some proposals about having a
hop=0 or just falsifying hop=1 for that.
Most of the MSA issues, though, are mostly of the type "well, dmarc
p=reject/quarantine means the domain holder doesn't want you doing
that", so I'm not clear there's a solution there.
If I still understand ARC and its attempt to do a chain of trust
concept, I think there would still be a need for a 3rd Party Seal
authorized domain or "registration" concept, otherwise, only the
entire chain validity matters. We can have policies for strong and
relaxed ARC seal requirements.
Overall, the integrated DKIM policy solution begins with RFC7489.DMARC
Tag Extensions:
3.1.3. Alignment and Extension Technologies
If in the future DMARC is extended to include the use of other
authentication mechanisms, the extensions will need to allow for
domain identifier extraction so that alignment with the RFC5322.From
domain can be verified.
We can consider an "atps=" tag and "arc=" tag as experimental
concepts. One is DNS-based, no additional RFC5322 overhead, the
other has additional RFC5322 modification and processing requirements.
I suggest there will be a significant percentage of smaller/private
domains that will not have the same requirements as the larger "public
service" ESP domains.
If a DMARC record has an "atps=1" it uses rfc6541 to check the 3rd
party signer DKIM.SDID domain.
If a DMARC record has an "arc=1" it uses the ARC proposal and some
new "policy" proposal (TBD) to check the 3rd party seals and probably
1 or more sealer domain.
I would even consider adding to the experiment the exploration of
Levine's Conditional DKIM Signer proposal, with a "cond=1" tag. This
proposal is a non-DNS lookup idea to authorize an expected 3rd party
signer I believe added to the original signature. The DMARC extended
"cond=1" tag could say "a failed p=reject message can be promoted to
pass with valid 3rd party conditional signer."
--
HLS
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc