Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations

[Jesse Thompson]

On 7/23/20 8:07 AM, Joseph Brennan wrote:
>> I think that we just have to agree that From-munging by MLMs is a permanent 
>> reality.  It needs to be documented more prominently (and promoted as part 
>> of the DMARC marketing) so that implementations are more consistent, so that 
>> un-munging tactics and/or MUA behavior can be consistently implemented.
>>
> I'd be happier for the proposed standard to say that DMARC policy
> "SHOULD NOT" be compromised by rewriting From lines-- and see how that
> goes over. My reasoning is that blessing the practice makes it easier
> for bad actors to craft spoofed mail and get it accepted. The opposite
> of the purpose of DMARC, isn't it?

(sorry, I forgot to reply earlier)

I realize that your worry is valid if anyone attempted to un-munge the messages 
and then use the un-munged state somehow to validate authenticity.  I assume 
that un-munging would only be attempted locally if the message passes DMARC and 
is trusted by local policy.  (Similarly, as I've suggested in other contexts, 
it would be nice if the Receiver could preemptively communicate this trust to 
the Intermediary so that the munging didn't need to occur in the first place 
and ARC could come to fuition, but I digress.)

As others have said, munged messages sent via a MLM aren't much different than 
someone posting to a web form and it then distributing the post to a set of 
email recipients.  That web form isn't expecting to be able to use the author's 
domain, and the pattern it uses in the Friendly From is somewhat arbitrary and 
could be co-opted by spammers.  

I don't think that bad actors crafting is a huge worry since I think that in 
both scenarios it would just fall back on the reputation of the domain (and 
other factors). 

(just spit balling... it's getting late on a Friday...) Perhaps an interesting 
local policy enforcement (to get at your concern) would be to require that 
messages with certain Friendly From patterns to be DMARC aligned (regardless of 
policy) since I could assume that any MLM (that I care about) that's DMARC 
aware enough to munge would also have aligned SPF and/or DKIM results.

Jesse

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] non-mailing list use case for differing header domains

[John R Levine]

On Fri, 31 Jul 2020, Jesse Thompson wrote:

I think they want their IT staff to deploy an email system and policies that 
work the way they would expect.  They want their organization to be seen as 
secure, so they don't want to be on the Buzzfeed list of Fortune 500 companies 
that have neglected to secure their domains with DMARC.


Well, that's the problem, isn't it?  If your expectations for e-mail are 
shaped by experience with paper mail and you don't realize how different 
an organization's internal highly controlled mail system is from e-mail on 
the outside, you're inevitably going to be surprised, sometimes 
unpleasantly.


I would like for us to avoid the Yes Minister Tautology: We must do 
something, this is something, therefore we must do this.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] non-mailing list use case for differing header domains

[John Levine]

In article  you write:
>I think you're right, and isn't the market indicating that there is demand for 
>DMARC designed for other usage patterns?  e.g.
>Would the CEO of any of those fortune 500 companies like the idea of their 
>personal address being spoofed?

I dunno. Would they like the idea of mail their assistants send out
for them being silently discarded because it's falsely tagged as being
"spoofed"?

R's,
John

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

[dmarc-ietf] LSAP - Lightweight Signer Authorization Protocol methodology

[Hector Santos]

On 7/31/2020 4:06 AM, Alessandro Vesely wrote:

hector wrote:

base32(sha1(SIGNER-DOMAIN))._atps.isdg.net



Isn't that overly complicated?


I don't think so, but sure, it is not 100% "Low Code."  A hash 
"calculator" is needed.



Why SHA1?


The intent was for a lightweight hashing that won't produce long 
hashing tags or labels or subdomains. Whats the maximum length of a 
domain?


But mainly because Murray's ATPS was based off Doug Otis's TPA-LABEL 
which used the same hashing algorithm.


  DKIM Third-Party Authorization Label
  https://tools.ietf.org/html/draft-otis-dkim-tpa-label-06

Doug provided a portable C-based TPA-Label calculator source code in 
Appendix B.


ATPS was the "simpler" version of TPA-Label. TPA-label was a little 
complex for a period when it was extremely challenging in the DKIM WG 
to get a Author::Signer relationship endorsed. Remember, we were 
dealing with push back even the 1st party DNS lookup policy.


There was general agreement TPA-Label offer more scalability. ATPS was 
just simpler to plug and play, explore and test the proof of concept 
and that it did.



An alternative method to authorize 3rd parties is RHSWLs,


Let me (re)state I believe in a "Black Box" functional design and 
engineering.  I am not stuck on ATPS.  It is about the functional 
methodology for an Author::Signer association, a "Lightweight Signer 
Authorization Protocol" or LSAP.  We had the same with LMAP 
"Lightweight MTA Authorization Protocol."  Maybe LSAP can do for 
DMARC, what LMAP did for SPF.  But imo, we need to get consensus with 
a LSAP methodology.  With consensus, a specific method can be worked out.



see my previous post[*].  By
comparison with the above quote, assume we have:

 From: some...@example.com
 Sender: a...@example.net

The DMARC record at example.com:

   v=DMARC1; p=reject; snd=lst.rhswl.example; rua=mailto:r...@example.com;

The snd=lst.rhswl.example tells a compliant receiver that if it sees a
3rd party authentication (either SPF or DKIM) of the Sender domain:,
where:

 From: domain IS NOT EQUAL TO Sender: domain

Then it can do a right-hand side whitelist lookup:

 example.net.lst.rhswl.example

If the record exists, then example.net is authorized to send on behalf
of example.com.


Sure, again, imo, we need a BLACK BOX "LSAP" methodology to be work 
out. see below.



Features:

* Absence of cryptographic stuff (sha1) makes it simpler.

* A multi-domain bank (Autumn's example) can easily build its own
RHSWL containing all and only their domains, e.g.:

   firstbrand.com.lst.mainbrand.com  IN A 127.0.0.2
   secondbrand.com.lst.mainbrand.com IN A 127.0.0.2

* Large free-email domains can build their own RHSWL so as to avoid
the MLM problem.

* Lazy mail domains can easily point to a public RHSWL which lists
almost all the legitimate Internet.

* Strictly transactional domains can still keep snd=none (the default).

* Experimenting domains can have p=none; snd=lst.in-progress.example;
while they monitor aggregate reports to see how their list is doing.


Do you have a I-D? If not, why not write up the draft proposal so it 
can better reviewed and maybe even explored?


Based on discussions, it sounds this LSAP model would include author, 
signer, sender identities:


Authorized := LSAP(Author, Signer, Sender)

This was the same idea with LMAP for SPF.

Authorized := LMAP(IP, Domain)

In SPF, the LMAP function is called Check_Host() with arguments:

- the IP address of the SMTP client that is emitting
  the mail, either IPv4 or IPv6.

- the domain that provides the sought-after authorization
  information; initially, the domain portion of the
  "MAIL FROM" or "HELO" identity.

- the "MAIL FROM" or "HELO" identity.


--
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos


___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] non-mailing list use case for differing header domains

[Alessandro Vesely]

On Wed 29/Jul/2020 19:34:48 +0200 Hector Santos wrote:

On 7/28/2020 1:19 PM, Doug Foster wrote:

Hector, I do not understand this comment:

"The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party 
domains. DMARC did not address the problem and reason ADSP was abandoned. 
Hence the on-going dilemma."




[...]

We have DKIM Policy extension proposals like ATPS (RFC6541) that offers a 
deterministic method to associate the author domain with 3rd party signer 
domains.   This authorization is defined by the Originating, Author Domain.


Look at my DMARC record for my isdg.net domain:

v=DMARC1; p=reject; atps=y; rua=mailto:dmarc-...@isdg.net; 
ruf=mailto:dmarc-...@isdg.net;


The atps=y tells an ATPS compliant receiver that if it sees a 3rd party domain 
signature:


   Author Domain IS NOT EQUAL TO Signer Domain

Then it can do a ATPS look:

    base32(sha1(SIGNER-DOMAIN))._atps.isdg.net

So if I wanted to authorized bayviewphysicians.com to be able to sign for me, I 
would go to the wizard https://secure.winserver.com/public/wcdmarc,  enter your 
domain in the list of authorized signers, click Zone Record and I get a record 
I can add to my isdg.net zone:


e25dhs2vmyjf2tc2df4efpeu7js7hbik._atps  TXT ("v=atps01; 
d=bayviewphysicians.com;")

So anyone out there can see that I authorized bayviewphysicians.com to sign for 
isdg.net



Isn't that overly complicated?  Why SHA1?  An alternative method to authorize 
3rd parties is RHSWLs, see my previous post[*].  By comparison with the above 
quote, assume we have:


From: some...@example.com
Sender: a...@example.net

The DMARC record at example.com:

v=DMARC1; p=reject; snd=lst.rhswl.example; rua=mailto:r...@example.com;

The snd=lst.rhswl.example tells a compliant receiver that if it sees a 3rd 
party authentication (either SPF or DKIM) of the Sender domain:, where:


From: domain IS NOT EQUAL TO Sender: domain

Then it can do a right-hand side whitelist lookup:

example.net.lst.rhswl.example

If the record exists, then example.net is authorized to send on behalf of 
example.com.



Features:

* Absence of cryptographic stuff (sha1) makes it simpler.

* A multi-domain bank (Autumn's example) can easily build its own RHSWL 
containing all and only their domains, e.g.:


  firstbrand.com.lst.mainbrand.com  IN A 127.0.0.2
  secondbrand.com.lst.mainbrand.com IN A 127.0.0.2

* Large free-email domains can build their own RHSWL so as to avoid the MLM 
problem.


* Lazy mail domains can easily point to a public RHSWL which lists almost all 
the legitimate Internet.


* Strictly transactional domains can still keep snd=none (the default).

* Experimenting domains can have p=none; snd=lst.in-progress.example; while 
they monitor aggregate reports to see how their list is doing.



Best
Ale
--

[*] https://mailarchive.ietf.org/arch/msg/dmarc/jQlUhE-ijiWeb1CybKy6367eVn8


























___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc