So you think we should include
https://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail in
the actual spec?

Brandon

On Tue, Jun 16, 2020 at 10:26 AM Hector Santos <hsantos=
40isdg....@dmarc.ietf.org> wrote:

> Hi Brandon, some quick points:
>
> 1) I was 100% concentrating on the technical protocol aspects to make
> DMARC protocol complete. DMARC is currently not protocol complete. It
> does not address the failure scenarios related to 3rd party
> re(signers). It left loopholes that need to be closed.  The
> application aspects for administration is, in my technical view, a
> secondary consideration.  The protocol's framework need to complete.
>
> 2) If you suggest there are existing solutions to fill in the holes,
> then they need to be documented in the DMARC proposed standard.It
> can't be intentional "ignorant" about it.  This ignorance did not work
> with ADSP and it did not work with DMARC.
>
> Based on your comments there would be a total of four methods to
> consider for implementors to offer:
>
> 1) Honor the DMARC policy. No Subscriptions, nor submissions from
> restrictive domains. Gandfather current members from restrictive
> domains as read-only members.
>
> 2) Give DKIM private Key to authorized (re)signer,
>
> 3) Use CNAME to share a key with authorized (re)signer, and
>
> 4) Use ATPS RFC6541
>
> Note, I intentionally left out the horrible rewriting kludge. I would
> not encourage it.  Provide good protocol-complete solutions and
> kludges won't be necessary.
>
>
> Thanks
>
> --
> Hector Santos,
> https://secure.santronics.com
> https://twitter.com/hectorsantos
>
> On 6/15/2020 1:15 PM, Brandon Long wrote:
> > I don't understand what adding authorized third party signatures will
> add.
> >
> > For a corporation, it may be possible to validate and approve a number of
> > third party signers... right now, that's done via DNS by either extending
> > SPF to include the third party, or giving the third party a DKIM key (or
> > better, mapping a key into your domain name space with CNAME)... or even
> > by smarthosting.
> >
> > Any email sending vendor has to support this at this point.  However,
> this
> > doesn't handle the external mailing list case, or at best it works with
> just
> > the largest providers or some limited number of lists, but I doubt our
> > security department would approve some random open source list to send
> mail
> > as the company.
> >
> > For a large mailbox provider, the set of potential third party vendors is
> > very large, and would require an extensive vetting process to make it
> work,
> > and even then, you've opened it up to security issues at the weakest
> link.
> > This is basically Google's OAUTH API Verification process with estimates
> > that the vendor security audit cost of $15-75k... and still wouldn't
> handle
> > small mailing list providers.
> >
> > The reason third party signatures don't work for mailing lists is because
> > they are a relay, not an origination service, and fundamentally third
> party
> > signatures only work with origination services.
> >
> > One could say that the third party auth problem is the same with ARC, but
> > there are two major differences.  For one, the question of whether to
> > accept an ARC hop as valid is on the receiver, not the sender, which
> allows
> > it to work with relays which are more known to the receiver than the
> sender.
> > For two, ARC is saying something very different.  Third party auth is
> > saying "this service can act as me" while ARC is saying "this service
> > relayed the message
> > without substantive changes".  It remains to be seen whether ARC is
> > successful at this, of course.
> >
> > So, at best, third party auth for DKIM wil be a "new" way of giving a
> > service access that no one will support for a long time, while there are
> > existing
> > mechanisms which work today for that.
> >
> > Brandon
> >
> > On Sun, Jun 14, 2020 at 10:23 AM Hector Santos <hsantos=
> > 40isdg....@dmarc.ietf.org> wrote:
> >
> >> When we look at DKIM and the DMARC protocol by exposing the boundary
> >> conditions of the protocol, it helps with laying the groundwork for a
> >> protocol-complete model.
> >>
> >> DKIM has three possible signature states:
> >>
> >> - NONE (no valid signature)
> >> - 1PS (1st party valid signature, Author.domain == Signer.domain)
> >> - 3PS (3rd party valid signature, Author.domain != Signer.domain)
> >>
> >> DMARC has three polices:
> >>
> >> - none
> >> - quarantine
> >> - reject
> >>
> >> With these 3x3=9 states, the following table with the boundary
> >> conditions of the protocol is established with the expected and
> >> potential actionable result:
> >>
> >>                           DMARC POLICY
> >>        +===================================================+
> >>        |////// | p=NONE     | p=QUARANTINE  | p=REJECT     |
> >>        |===================================================|
> >>     D  | NONE  | fail-pass  | fail-filter   | fail-reject  |
> >>     K  |-------+------------+------------------------------|
> >>     I  | 1PS   | pass       | pass          | pass         |
> >>     M  |-------+------------+------------------------------|
> >>        | 3PS   | fail-pass  | fail-filter   | fail-reject  |
> >>        +===================================================+
> >>
> >> Note: I intentionally left out SPF conditions for NONE, NEUTRAL,
> >> SOFTFAIL and HARDFAIL. SPF adds an additional 9x4 or 36 total states.
> >>    For this exercise, we are assuming DMARC/SPF alignment is in play
> >> and failure can be for any DMARC known reason including the 3PS failed
> >> states.
> >>
> >> The states for DKIM none and 1PS are expected protocol conditions.
> >> DMARC describes these conditions. But the DKIM 3PS conditions are not
> >> described and are subject to questionable actions because of the
> >> possible false positives results.
> >>
> >> The 3PS failures occur because of the dearth for an Authorized Third
> >> party Signature protocol.  DMARC does not offer 3rd party signature
> >> solutions nor semantics, nor did the ADSP RFC5716 [1] proposal. But
> >> they did not restrict an ADD-ON extension to the protocol.
> >>
> >> ATPS RFC6541 [2] was one such add-on proposed extension to ADSP and
> >> when DMARC replaced ADSP, it equally applies to DMARC as well as an
> >> extension.  We do not need to get into the specific ATPS protocol
> >> details on how to authorize a 3rd party signer. Any "ATPS-like"
> >> protocol will only need to answer one question:
> >>
> >>     Is the 3rd party (re)signer authorized?   Yes or NO
> >>
> >> With this consideration, the table has one additional 3PS-AUTH row
> >> meaning Yes, the 3rd party (re)signer domain was authorized by the
> >> author domain.
> >>
> >>
> >>                      DMARC POLICY W/ ATPS
> >>        +======================================================+
> >>        |//////    | p=NONE     | p=QUARANTINE  | p=REJECT     |
> >>        |======================================================|
> >>     D  | NONE     | fail-pass  | fail-filter   | fail-reject  |
> >>     K  |----------+------------+------------------------------|
> >>     I  | 1PS      | pass       | pass          | pass         |
> >>     M  |----------+------------+------------------------------|
> >>        | 3PS      | fail-pass  | fail-filter   | fail-reject  |
> >>        |----------+------------+------------------------------|
> >>        | 3PS-AUTH | pass       | pass          | pass         |
> >>        +======================================================+
> >>
> >> Overall, as it was originally conceived, the DKIM Policy model can not
> >> ignore ATPS conditions because as you can see above, it would not be
> >> protocol-complete -- it is missing the 3PS-AUTH conditions.
> >>
> >> While ADSP is a specific RFC proposed protocol, I am using it as an
> >> acronym for any authorizing third party signature concept:
> >>
> >>      Result = DKIM_ATPS(author.domain, signer.domain)
> >>
> >> Lets finish that part of the DKIM model.
> >>
> >> Thanks
> >>
> >> [1] https://tools.ietf.orgy/html/rfc5617
> >> [2] https://tools.ietf.org/html/rfc6541
> >>
> >> --
> >> Hector Santos,
> >> https://secure.santronics.com
> >> https://twitter.com/hectorsantos
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to