On Sat, Jul 16, 2022 at 7:20 AM Douglas Foster <
dougfoster.emailstanda...@gmail.com> wrote:
> SIBLING: One part of an organization validates a message for a domain in a
> different part of the organization. This is a very weak authentication
> method and has multiple risks. The primary risks are created by private
> registries, if the registry boundary is undetected. For the PSL, the
> threat comes from private registries that are not listed. For the Tree
> Walk, the threat comes from private registries that are not tagged. The
> secondary risk comes from assuming strong central control where it may not
> exist, and where the impersonation may be the result of malware.
> Universities come to mind because we have discussed how they have
> distributed control structures. Is it wise for us to assume that a
> message with MAIL FROM of us...@physics.example.edu is authorized to send
> messages with FROM us...@sociology.example.edu, or
> us...@students.example.edu can send messages for us...@admin.example.edu?
> I don't think so.
>
> My proposal:
> Sibling authentication should be disabled by default, even for policies
> that specify relaxed authentication. Those organizations that want
> sibling authentication should explicitly request it using a tag (to be
> defined) on the Organizational Domain policy. If the tag is not present,
> relaxed authentication enables only exact, parent-child, and child-parent
> relationships.
>
To my mind, from a security standpoint, I think this is a reasonable
argument. The mitigating factor is inertia. We need to recognize that the
deployed base implementing RFC 7489 is substantial, and whatever we produce
here as the Proposed Standard will coexist with it for some time.
("Update? Why? It's working fine."). Thus, changing the default from
"adkim=r" to "adkim=s" as proposed here will create a bifurcation where
legacy installations, which are unlikely to update in the short term, will
implement one default while current ones will implement another.
So it comes down to which we're willing to tolerate and/or to foist upon
the Internet: a split-brain that makes results non-deterministic, or a
relatively homogeneous space with an arguably unsafe historic default.
Whichever we pick, we should be prepared to explain why.
-MSK, no hat
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
