Re: [dmarc-ietf] [arc-discuss] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)
(Sorry Murray, I missed the tail of your message.) On 05/13/2016 05:24 AM, Murray S. Kucherawy wrote: > Yes, AS[1] testifies to the Authenticated-Results of receiving the message > from the originator. That only proves the first receiver was involved. A final receiver may trust its results or not. What is the first receiver reporting if not the authentication claims made by the originator? They could equally be reporting fraudulent claims in order to defeat email security systems at (a) downstream receiver(s). ...meaning nodes 0 (originator) and 1 are in collusion? Sure, that's possible, but how would requiring an i=0 thwart such an arrangement? No, "they" meaning the i=1 party. Having a third-party originator state their own assertions in a form that ARC will include in its chain allows the receiver to make decisions based upon the trust of the i=0 party, even where they don't trust the i=1 party. Also, no requirement, just an option for Originators. Per my earlier message though, I'd now suggest that this is a job for a new 7601.Method. - Roland ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] [arc-discuss] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)
On Wed, May 11, 2016 at 7:19 PM, Roland Turnerwrote: > > I'd suggest not. AS[1] permits a receiver (or other assessor) to determine > with some confidence that the putative signer made such an assertion about > the putative originator, it provides no information about the involvement > of the putative originator except to the extent that the assessor > additionally trusts the assertions of the putative signer. Decisions to > trust are necessarily outside the specification. This argument applies > equivalently to AS[0] independent origination scenarios and to AS[>0] > forwarding scenarios. > What would an i=0 ARC Set tell you that the i=1 set does not? As I understand it, an i=0 set would be the author asserting "I validated my own mail, and it was good." How would one consume such an assertion in a meaningful way? > > Yes, AS[1] testifies to the Authenticated-Results of receiving the >> message >> > from the originator. >> >> That only proves the first receiver was involved. A final receiver may >> trust >> its results or not. >> > > What is the first receiver reporting if not the authentication claims made > by the originator? > > > They could equally be reporting fraudulent claims in order to defeat email > security systems at (a) downstream receiver(s). > ...meaning nodes 0 (originator) and 1 are in collusion? Sure, that's possible, but how would requiring an i=0 thwart such an arrangement? -MSK ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] [arc-discuss] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)
On 05/12/2016 06:28 AM, Murray S. Kucherawy via arc-discuss wrote: On Wed, May 11, 2016 at 9:54 AM, Alessandro Vesely> wrote: >> Doesn't the i=1 ARC set also prove the originator was involved? No, it doesn't. Could you say why not? It seems to me the i=1 ARC set is validating the message authentication provided by the originator. That seems to qualify to me as "involved" on the part of the originator. I'd suggest not. AS[1] permits a receiver (or other assessor) to determine with some confidence that the putative signer made such an assertion about the putative originator, it provides no information about the involvement of the putative originator except to the extent that the assessor additionally trusts the assertions of the putative signer. Decisions to trust are necessarily outside the specification. This argument applies equivalently to AS[0] independent origination scenarios and to AS[>0] forwarding scenarios. > Yes, AS[1] testifies to the Authenticated-Results of receiving the message > from the originator. That only proves the first receiver was involved. A final receiver may trust its results or not. What is the first receiver reporting if not the authentication claims made by the originator? They could equally be reporting fraudulent claims in order to defeat email security systems at (a) downstream receiver(s). - Roland ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc