subject:"\[dmarc\-ietf\] \[arc\-discuss\] Proposal to adopt ARC documents into the WG \(toward phase 2 milestone\)"

Re: [dmarc-ietf] [arc-discuss] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)

2016-05-15 Thread Roland Turner

(Sorry Murray, I missed the tail of your message.)

On 05/13/2016 05:24 AM, Murray S. Kucherawy wrote:

> Yes, AS[1] testifies to the Authenticated-Results of receiving the
message
> from the originator.

That only proves the first receiver was involved.  A final
receiver may trust
its results or not.

What is the first receiver reporting if not the authentication
claims made by the originator?

   They could equally be reporting fraudulent claims in order to defeat
   email security systems at (a) downstream receiver(s).

...meaning nodes 0 (originator) and 1 are in collusion?  Sure, that's 
possible, but how would requiring an i=0 thwart such an arrangement?

No, "they" meaning the i=1 party. Having a third-party originator state 
their own assertions in a form that ARC will include in its chain allows 
the receiver to make decisions based upon the trust of the i=0 party, 
even where they don't trust the i=1 party.

Also, no requirement, just an option for Originators. Per my earlier 
message though, I'd now suggest that this is a job for a new 7601.Method.

- Roland

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] [arc-discuss] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)

2016-05-12 Thread Murray S. Kucherawy

On Wed, May 11, 2016 at 7:19 PM, Roland Turner 
wrote:

>
> I'd suggest not. AS[1] permits a receiver (or other assessor) to determine
> with some confidence that the putative signer made such an assertion about
> the putative originator, it provides no information about the involvement
> of the putative originator except to the extent that the assessor
> additionally trusts the assertions of the putative signer. Decisions to
> trust are necessarily outside the specification. This argument applies
> equivalently to AS[0] independent origination scenarios and to AS[>0]
> forwarding scenarios.
>

What would an i=0 ARC Set tell you that the i=1 set does not?

As I understand it, an i=0 set would be the author asserting "I validated
my own mail, and it was good."  How would one consume such an assertion in
a meaningful way?


> > Yes, AS[1] testifies to the Authenticated-Results of receiving the
>> message
>> > from the originator.
>>
>> That only proves the first receiver was involved.  A final receiver may
>> trust
>> its results or not.
>>
>
> What is the first receiver reporting if not the authentication claims made
> by the originator?
>
>
> They could equally be reporting fraudulent claims in order to defeat email
> security systems at (a) downstream receiver(s).
>

...meaning nodes 0 (originator) and 1 are in collusion?  Sure, that's
possible, but how would requiring an i=0 thwart such an arrangement?

-MSK
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] [arc-discuss] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)

2016-05-11 Thread Roland Turner

On 05/12/2016 06:28 AM, Murray S. Kucherawy via arc-discuss wrote:

On Wed, May 11, 2016 at 9:54 AM, Alessandro Vesely > wrote:

>> Doesn't the i=1 ARC set also prove the originator was involved?

No, it doesn't.

Could you say why not?  It seems to me the i=1 ARC set is validating 
the message authentication provided by the originator.  That seems to 
qualify to me as "involved" on the part of the originator.

I'd suggest not. AS[1] permits a receiver (or other assessor) to 
determine with some confidence that the putative signer made such an 
assertion about the putative originator, it provides no information 
about the involvement of the putative originator except to the extent 
that the assessor additionally trusts the assertions of the putative 
signer. Decisions to trust are necessarily outside the specification. 
This argument applies equivalently to AS[0] independent origination 
scenarios and to AS[>0] forwarding scenarios.

> Yes, AS[1] testifies to the Authenticated-Results of receiving the message
> from the originator.

That only proves the first receiver was involved. A final receiver
may trust
its results or not.

What is the first receiver reporting if not the authentication claims 
made by the originator?

They could equally be reporting fraudulent claims in order to defeat 
email security systems at (a) downstream receiver(s).

- Roland

___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] [arc-discuss] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)

Re: [dmarc-ietf] [arc-discuss] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)

Re: [dmarc-ietf] [arc-discuss] Proposal to adopt ARC documents into the WG (toward phase 2 milestone)

3 matches

Site Navigation

Mail list logo

Footer information