On Tue 01/Dec/2020 05:56:46 +0100 Brandon Long wrote:
> On Thu, Nov 26, 2020 at 12:59 AM Alessandro Vesely <ves...@tana.it> wrote:
>
>> On 25/11/2020 20:16, Michael Thomas wrote:
>>> On 11/25/20 11:11 AM, Alessandro Vesely wrote:
>>>> On 25/11/2020 19:24, Jesse Thompson wrote:
>>>>> On 11/25/20 11:30 AM, Alessandro Vesely wrote:
>>>>>> Without resorting to ARC, it is still possible to validate author
>>>>>> domain's signatures directly if the MLM just adds a subject tag
>>>>>> and a footer>>>>>
>>>>> I agree that ARC isn't really needed to do this (trust the last hop
>>>>> from the MLM and determine the original authenticity from the MLM's
>>>>> perspective)>>>>
>>>> I didn't mean to trust the MLM. I meant remove the subject tag and
>>>> the footer, then the original DKIM signature verifies. See:
>>>> https://datatracker.ietf.org/doc/draft-vesely-dmarc-mlm-transform/
>>>
>>> When I was at Cisco, with l= and some subject line heuristics I could get
>>> probably like 90+% verification rate across the entire company, a company
>>> that
>>> uses external mailing lists a lot. Definitely not 100% though.
>>
>>
>> DKIM itself is not 100%. You always have lines beginning with "From " or
>> occasional autoconversions.
>>
>> l= doesn't cover multipart/alternative nor Content-Transfer-Encoding:
>> base64. In addition, the DKIM spec discourages its usage and suggests
>> that "Assessors might wish to ignore signatures that use the tag.">>
>
> Right, some of the other dkim-light or diff concepts we discussed would be
> better than using l=
>
> We again got hung up on the 100% solution, though... something that handled
> subject-prefix and footer in a transport agnostic way might have worked.
I'm not clear about the meaning of "100%". If an author domain puts no DKIM
signatures, there is no way to verify them. Hence, some compliance of the
author domain has to be required.
The same holds for conditional signatures.
The same holds for MLM transformations.
> The fact that DKIM isn't transport agnostic is an achilles heel to even
> that, though, since we'd have to come up with a new canonicalization and get
> it to widespread adoption before the simple diff could work.
As DKIM works in the vast majority of cases (yes, not 100%, but nearly), the
idea to discombobulate it for the sake of a meagre set of old-fashioned
individuals who still dislike mass social media is a showstopper. Yet, since
DMARC standardization itself avails of mailing lists, we may want to get some
coherence.
> Or require mailing lists to be a lot more strict in how they do their email
> rewriting, but I imagine that's harder work than even ARC.
They are quite strict already. For example, I received the message I'm
replying to in both my top and dmarc folders. Both copies of the message have
the correct From:. The MLM copy was authenticated like so:
Authentication-Results: wmail.tana.it;
spf=pass smtp.mailfrom=ietf.org;
dkim=pass reason="Original-From: transformed" (whitelisted)
header.d=google.com;
dkim=pass (whitelisted) header.d=ietf.org
header.b=zA0RRbSR;
dkim=fail (signature verification failed, whitelisted) header.d=ietf.org
header.b=F65GxYqF
From: restoring is documented here:
https://www.tana.it/sw/zdkimfilter/zdkimfilter.html#mlmtrans
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
